Best permissions/ownership for apache document root
Solution 1
Create a new group
groupadd webadmin
Add your users to the group
usermod -a -G webadmin user1
usermod -a -G webadmin user2
Change ownership of the sites directory
chown root:webadmin /var/www/html/
Change permissions of the sites directory
chmod 2775 /var/www/html/ -R
Now anybody can read the files (including the apache user) but only root and webadmin can modify their contents.
Solution 2
I prefer to mount the partition with -o acl. This allows you to use the setfacl command to give set fine grained permissions on files and folders, instead of only specifying user-group-other permissions.
So put acl to your partition line in /etc/fstab, or remount with mount -o remount,acl /mnt/xy, and then give ownership of your web directory to nobody:nobody. Chmod to 770, and use setfacl to give write permissions only on the folders that need it, eg. give www-data (or the user your webserver runs as) write permissions for the upload folder, and give write permissions to your own user for the whole directory.
mkdir dir
chown nobody:nobody dir
setfacl -m u:www-data:r-x,d:u:www-data:r-x dir
setfacl -m u:www-data:rwx,d:u:www-data:rwx dir/upload
setfacl -m u:youruser:rwx,d:u:youruser:rwx dir
Now nobody can read your files, apart your webserver, and your own user. You can write to every file in the folder, and the webserver can only write into the upload folder.
Related videos on Youtube
Marco
Updated on September 17, 2022Comments
-
Marco over 1 year
I need some help setting the correct permissions or ownership of the apache document root. Here is what I need:
- different websites stored in
/var/www/html/<site>
- two users should update/manage the websites through ssh
- ownership should be different than the apache user (for security)
How can I do this? At the moment all files are world-writeable, which isn't good. The server runs CentOS 5.5
Thanks
-
Quinn Comendant almost 11 yearsFor a more detailed answer with other options for securing a docroot, see serverfault.com/questions/357108/…
-
the accountant almost 6 yearsI think it's better to store each website in a separate location (don't put both at DocumentRoot, use 2 virtual hosts) then each sysadmin user owns only his own website and set the group owner of both websites directories as the Apache group
- different websites stored in
-
Marco over 13 yearsThat looks good. But what happens if a user creates new files or copy updated files. Are those permissions applied automatically? Or does he need to chown and chmod everytime?
-
Andy over 13 yearsCopied files maintain permissions/ownership. Default file permissions for new files are handled by the
umask
command. More info here osr507doc.sco.com/en/OSUserG/_default_perms_new_file.html -
covener over 13 yearsyou could make the dir setgid webadmin to help with new files
-
James Broadhead almost 13 years^ +1. The quick way would be: >> chmod 2775 -R /var/www/html/
-
Andy almost 13 years@James ta, updated
-
Elliptical view over 5 yearsIn the final step, you might want to NOT set all files in this folder as executable. Rather just
chmod 2775 /var/www/html
, i.e. not recursive.