Apache permissions to allow both user and web server to edit /var/www

permissions apache2 root
18,796

It's possible to set different group and user access for files and directories, and this will allow both Apache and your user1 user to edit what's in /var/www without requiring root/sudo and without making anything world-writable.

So, set the "user" permission inside /var/www to user1. Set the "group" permission to www-data (but ONLY for the specific files or directories that the web server needs to write to).

sudo chown -R user1:user1 /var/www
sudo chgrp www-data /var/www/specific-file

You should avoid letting the web server write to the entire /var/www directory and its contents, instead giving the above group permission only to the specific files where this is necessary. It is a good security principle to limit the web server's access to write to files to only those files that it is strictly necessary for - and it is a good idea to try and ensure those files are not executed directly (aren't .php or other executable scripts, for example).

Share:
18,796

Related videos on Youtube

alebal
Author by

alebal

Updated on September 18, 2022

Comments

  • alebal
    alebal over 1 year

    For security reasons I would like to disable root access via ssh.

    I created a new user (user1) with administrative permissions.

    adduser user1
usermod -aG sudo user1

    and assigned the /www directory to this user.

    sudo chown -R $USER:$USER /var/www/
sudo chmod -R 755 /var/www

    (My folders structure is www/site1.com, www/site2.com, etc.)

    My sites need to write some files (such as sitemaps, rss feeds, etc.) so I set the permissions of the www directory to:

    sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www

    Now, however, user user1 works perfectly via shell with the sudo command, but can no longer add/edit/delete files and folders in the /www directory and its subdirectories via sftp.

    I read many guides, how to set up apache permissions to increase security, to share administration with other users, etc. etc. etc.

    But I still did not understand how to solve my problem.

    Currently to be able to handle files on my server via sftp I have to use the root user, with peace of mind for security.

    Did I miss something about setting user or folders permissions?

  • alebal
    alebal about 5 years
    My problem is that I don't know what are the files that are added or modified by the server. For example, I have sites with thousands of pages, and a script that generates the sitemap_index.xml and sitemap.xml files. Every 5000 URL is created a new file (eg. sitemap_15000.xml) to which later is rewritten to add all new URLs, and fails to write these files if it is not www-data, but I can not touch the files in sftp with the user user1 if is www-data.
  • Dan
    Dan about 5 years
    @alebal You can create a directory called sitemaps and make it writable by www-data and put your sitemaps in that directory. This way you won't have to worry about permissions being modified on that directory as users would very rarely (if ever) need to touch that directory since it is populated by apache only.
  • alebal
    alebal about 5 years
    When I try to create a directory it says: permission denied. but I'm not sure about the group of user1... when I created it I also gave: usermod -aG sudo user1 Is User1 in the www-data group? How can I understand it and in case assign it?
  • alebal
    alebal about 5 years
    I thought about it too, it's not a bad idea, but I have about 50 sites on this server each with its sitemaps, it would be a great job to change all the sitemap scripts, files, internal and external links, etc. Moreover the permissions on the sitemap files are modified and set by the php file that creates them, they should be able to do it themselves, no?
  • s1mmel
    s1mmel about 5 years
    I added the info for you
  • alebal
    alebal about 5 years
    I tried, but something doesn't seem to work yet. I added user1 in the file etc/group, also made a reboot of the server. I have set the permissions on /var/www, because I have there all my sites, I can not change folder. But it still does not work, if I connect in sftp with FileZilla and user1, I do not have permission to create files and folders. In the end I still can not disable the root user, because I need to manage the files of my sites.
  • s1mmel
    s1mmel about 5 years
    well there might be another way, it is ugly but should def. work. edit /etc/passwd and give the user www-data a /bin/bash and also a password and login as www-data, this way you have no problems at all. but you might think a moment about security. maybe a sftp server could help here, vsftp is more or less easy to setup with virtual users (which then can point towrds user www-data).
  • alebal
    alebal about 5 years
    Umh... I do it to increase security, I don't want to risk decreasing it even more. I think rather calmly and with time to change the structure of files in my Sites, creating folders for sitemap files and images to be assigned to the user www-data, everything else to user1, but it will take some time unfortunately...
  • s1mmel
    s1mmel about 5 years
    you should consider using sftp through ssh with keys, this way you could even use the user www-data for it. If you work on windows take a look at winscp and putty. create a passwordless ssh key and put it on your server.
  • alebal
    alebal about 5 years
    What you mean? I use Ubuntu (Linux Mint) also for desktop PCs and I use the key to access sftp, I'm missing something?
  • s1mmel
    s1mmel about 5 years
    well if you use sftp over ssh with keys, you could also use the www-data user. Just give the user www-data a /bin/bash in /etc/passwd and a /var/www/.ssh dir with the authorized_keys file in it and you are good to go.
  • mehov
    mehov over 4 years
    Let's say the server needs to write to a folder owned by user1:www-data , is it safe to set the permissions on that folder to 0775 intead of 0755? Or should I instead allow everything to www-data and just SSH with that user like suggested below?
  • thomasrutter
    thomasrutter over 4 years
    Yes setting the group write bit is fine, though you'll need a way of ensuring new files created in there get the permissions you want. No, do not ever use www-data to log in as, or add any user to the www-data group, or give www-data any additional permissions beyond necessary. It's an unprivileged account. Some other answers are recommending bad security practices

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Making file in user's homedir accessible from web/webserver
Permission to delete files
Open file or application as root from GUI
Why am I getting Permission Denied when trying to push a Sqlite file to my rooted Android device?
You don't have permission to access / on this server. error for html app on apache server
New User With Root Access and Without Sudo
Allow chown command to www-data user
How to make php webpage to access the file in /root directory?
Permission forbidden on localhost with apache2
Asterisk and Freepbx on ubuntu 16.04