Locking down /var/www properly

**thany** · September 11th, 2012

It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

Security of /var/www is left as-is.

Security of the directories and subdirectories under /var/www have the following perm/user/group:
drwxrws--- martijn www

Security of files in those directories (recursive) is:
-rw-rw---- martijn www

martijn is the owner. www is the group.
www-data is member of www.

I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alright to me. Good enough at least.

However, I stumble upon an issue. When a website updates itself, it will create some new files and whatnot. But if the www-data user creates a new file, this becomes the security:
-rw-r--r-- www-data www

This I don't want. I want any new files and directory to *inherit* from their parent. The security mask should be inherited, the owner should be inherited, and the group is already inherited.

How do I achieve this? How do I make the security mask and file owners inheritable?

**CharlesA** · September 11th, 2012

All the directories under /var/www/ are set to root:root with -rwx-r-x-r-x on my boxes.

That is unless I have them being served from the user's home directory.

**Lars Noodén** · September 11th, 2012

You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

About the directories keeping the permissions, try setting the Set Group ID bit.

Code:

# do once
sudo chgrp -R www /var/www

sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;

# repeat for each user:
sudo gpasswd --add martijn www

**redmk2** · September 11th, 2012

Originally Posted by Lars Noodén

You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

About the directories keeping the permissions, try setting the Set Group ID bit.

Code:

# do once
sudo chgrp -R www /var/www

sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;

# repeat for each user:
sudo gpasswd --add martijn www

I don't see the problem of www-data updating the files. This is a system user that Apache runs under. When you set the GID bit for all directories and files created by any user it has the www group set; correct?. The www-data user has limited abilities by design.

If I was to do anything different I would just use the www-data group to begin with. Actually that is what I do. In fact I also provide the virtual hosts with a document root of /data/www/<virtual_host>. This is a separate partition (spindle). Do you see any problems with this set up. If so; what problems do you foresee?

**CharlesA** · September 11th, 2012

It isn't a good idea to give www-data write access. If it needs anything, it is read access only.

**redmk2** · September 11th, 2012

Originally Posted by CharlesA

It isn't a good idea to give www-data write access. If it needs anything, it is read access only.

Can you explain why that is?

Edit: Maybe I should be more specific. I'm only giving write rights for www-data to the file system /data/www (the various document roots). This is not giving execute rights or access to the system files. We are only talking about data files here.

**CharlesA** · September 11th, 2012

www-data is the user apache runs as, and if apache was somehow compromised, they would have write access to that area of the file system.

**redmk2** · September 11th, 2012

Originally Posted by CharlesA

www-data is the user apache runs as, and if apache was somehow compromised, they would have write access to that area of the file system.

Not trying to argue, just learn.

So what you are saying is that only the data is at risk; right?

What is the case if we have mortal users (and a group such as www-users). What risks do we have there?

The original reason I used www-data is that it was there already! Where can we find information on hardening Apache2?

**CharlesA** · September 11th, 2012

I am not too experienced with hardening Apache, but if you allow www-data to write to your site's root folder, and apache is compromised, your site could potentially be compromised as well. Even if www-data doesn't have world writable access, it might leave a hole open if there was a privilege escalation exploit left unpatched.

A compromised site can be modified to spread malware and the like.

**redmk2** · September 11th, 2012

Originally Posted by CharlesA

I am not too experienced with hardening Apache, but if you allow www-data to write to your site's root folder, and apache is compromised, your site could potentially be compromised as well. Even if www-data doesn't have world writable access, it might leave a hole open if there was a privilege escalation exploit left unpatched.

A compromised site can be modified to spread malware and the like.

I guess I will have to create a new group. So much for using an existing www group in my situation. In my case the server is a test prototype and therefore is not connected to the internet.

Take heed OP we need to find a way other than using www-data either in the group or as the the group itself.

Thank you @CharlesA for your insight and patience.

Thread: Locking down /var/www properly

Thread Tools

Display

Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Re: Locking down /var/www properly

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions