How should I rsync files in /var/www if I want them to be owned by www-data?

ubuntu permissions rsync chown
6,653

You don't want them owned by www-data. Apache initially runs as root and then drops privileges to www-data. You don't want your web content writable by the user that owns the apache processes. This creates a security vulnerability.

In the event that Apache is breeched, ideally the www-data user will have no access to any of the system. This is the most secure configuration. If the web content is owned by www-data, if Apache is breeched then the attacker can overwrite any of your web content.

Your web content should be owned by a normal user (this excludes nobody, www-data and root). Only things that need to be writable by Apache should be owned by www-data.

Share:
6,653

Related videos on Youtube

cwd
Author by

cwd

Updated on September 18, 2022

Comments

  • cwd
    cwd almost 2 years

    I have set up a new ec2 ubuntu box and installed apache and php5. By default you log onto the box with the ubuntu user who has sudo privileges.

    I believe apache runs as root and php5 runs as www-data.

    I think that I want all of the files in /var/www to be chown'ed to www-data:www-data, and folders set as 755 and files as 644 - unless there is an issue with that.

    Things run fine like this, but my issue is that when I rsync files from my laptop to the server it changes the ownership on them (and adds new files) as ubuntu:admin

    I have been through the rsync manual and searched Google, and I've seen a syntax like:

    rsync -avzcO (source) (destination) --owner=www-data --group=www-data

    However it appears that --owner and --group don't not take an argument but instead are meant to be used to force the remote files to have the same owner as on the local file system if rsync is being done as a super user.

    So, I haven't found a solution with rsync to set the remote user and group of files during rsync.

    What am I doing wrong?

    Thoughts:

    • Maybe my files in /var/www should just be owned by ubuntu:admin ?
    • Maybe I have the rsync syntax wrong
    • I guess I could rsync as the www-data user but that doesn't seem like a good idea
    • I could use suPHP like I would do on a shared host, but that seems like quite a bit of trouble
  • cwd
    cwd about 12 years
    So then it being owned by ubuntu:admin would be an acceptable practice? And if I am running something like wordpress then then uploads folder could be either chmod 777 or owned by www-data - right?
  • bahamat
    bahamat about 12 years
    Yes, that's right. I would make the uploads either owned by root:root and mode 1777 or owned by root:www-data and mode 1775.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why I can't access to this directory after that I use the chown command?
chown: invalid user: ‘www–data:www-data’
Multiple Users with owner rights?
Rsync Permissions from One Server to Another - Mkdir Permission denied (13)
root directory permissions changed to 777 by mistake whats now?
Why do I get an "rsync: failed to set times on ... : Operation not permitted (1)" error on Ubuntu 10.10 with SME Server 7.4?
Transmission-daemon not picking up on watch directory
Granting user permissions using sudo chown -R $USER:$USER /dir/ectory/
MongoDB only works when run as root on Ubuntu - data directory issue
rsync deploy and file/directories permissions