How should I rsync files in /var/www if I want them to be owned by www-data?
You don't want them owned by www-data. Apache initially runs as root and then drops privileges to www-data. You don't want your web content writable by the user that owns the apache processes. This creates a security vulnerability.
In the event that Apache is breeched, ideally the www-data user will have no access to any of the system. This is the most secure configuration. If the web content is owned by www-data, if Apache is breeched then the attacker can overwrite any of your web content.
Your web content should be owned by a normal user (this excludes nobody
, www-data
and root
). Only things that need to be writable by Apache should be owned by www-data.
Related videos on Youtube
cwd
Updated on September 18, 2022Comments
-
cwd almost 2 years
I have set up a new ec2 ubuntu box and installed apache and php5. By default you log onto the box with the
ubuntu
user who hassudo
privileges.I believe apache runs as
root
and php5 runs aswww-data
.I think that I want all of the files in
/var/www
to be chown'ed towww-data:www-data
, and folders set as 755 and files as 644 - unless there is an issue with that.Things run fine like this, but my issue is that when I
rsync
files from my laptop to the server it changes the ownership on them (and adds new files) asubuntu:admin
I have been through the
rsync
manual and searched Google, and I've seen a syntax like:rsync -avzcO (source) (destination) --owner=www-data --group=www-data
However it appears that
--owner
and--group
don't not take an argument but instead are meant to be used to force the remote files to have the same owner as on the local file system if rsync is being done as a super user.So, I haven't found a solution with rsync to set the remote user and group of files during rsync.
What am I doing wrong?
Thoughts:
- Maybe my files in /var/www should just be owned by
ubuntu:admin
? - Maybe I have the rsync syntax wrong
- I guess I could rsync as the
www-data
user but that doesn't seem like a good idea - I could use suPHP like I would do on a shared host, but that seems like quite a bit of trouble
- Maybe my files in /var/www should just be owned by
-
cwd about 12 yearsSo then it being owned by
ubuntu:admin
would be an acceptable practice? And if I am running something like wordpress then thenuploads
folder could be eitherchmod 777
or owned bywww-data
- right? -
bahamat about 12 yearsYes, that's right. I would make the uploads either owned by root:root and mode
1777
or owned by root:www-data and mode1775
.