How to allow www-data to create a folder without giving read access to the parent folder

debian permissions sudo apache-httpd access-control

5,333

Solution 1

You can't do what you state in a useful way, but there's undoubtedly something that's close enough and that will do what you really want.

Even if you arranged to create the directory, the www-data user would still not be able to access /some-path/subdirectory, because the subdirectory can only be accessed through the parent directory. (There are ways around this, but none that I recommend. You can have a process that can access both /some-path and /some-path/subdirectory change to /some-path/subdirectory, then drop privileges; the resulting process will still be able to access its current directory (but not through its absolute path). You can bind-mount the directory in another location, but if you're going to do that you might as well create the directory elsewhere.)

Arrange for these directories to be located under a directory that www-data can at least access (x permission bit). If the problem is that the directory must belong to another user and another group, set an access control list on the directory (setfacl -m user:www-data:x /some-path) — see How to restrict to run commands in specific directory through SUDOERS? for more information.

If the www-data user cannot write to /some-path, you'll still need elevated privileges to create the directory. You'll need to do at least two things, perhaps three:

create the subdirectory as a user with sufficient privileges;
if necessary, change the ownership of the subdirectory;
if necessary, change the permissions of the subdirectory.

If the subdirectory must belong to the www-data user, you can create it as a group who can write to /some-path. If necessary, set an ACL that allows some-group to write to /some-path: setfacl -m group:some-group:rwx /some-path. Then give www-data the right to execute the mkdir command with sudo. Run visudo and add the following rule:

 www-data ALL = ( : some-group) /bin/mkdir /some-path/[0-9A-Z_a-z]*, !/bin/mkdir /some/path/[!-0-9A-Z_a-z]

This allows www-data to run sudo -g some-group mkdir /some-path/foo-bar to create subdirectories in /some-path.

If the subdirectory must belong to another user who can write to some-path, run the mkdir command as that user. You might be able to arrange for the directory to have the correct permissions and ownership at creation time. For the sudoers file:

www-data ALL = (some-user : some-group) /bin/mkdir -m 775 /some-path/[0-9A-Z_a-z]*, !/bin/mkdir /some/path/[!-0-9A-Z_a-z]

Run sudo -u some-user -g some-group mkdir -m 775 /some-path/foo-bar to create a group-writable directory belonging to some-user:some-group under /some-path.

Solution 2

Not sure if the following way suite your situation or not:

Let assume following

A www-data writable directory : /var/www/data
Original intended paretn directory : /home/parent

Do this:

ln -s /var/www/data /home/parent/data

So instead of www-data writing directly under /home/parent, data can be access under parent through the soft link.

It can also be done with a local mount as follow

mount -o bind /var/www/data /home/parent/data

Or mount to parent directly

mount -o bind /var/www/data /home/parent

With local mount method, the destination directory behave as normal file system.

5,333

Highly Irregular

Am currently focused on WordPress website maintenance, management, security, and development. Experience in database driven web application programming, with interests in Bitcoin & cryptocurrencies, intuitive user experiences, PHP, databases, regular expressions, sustainability, and ethics. May have some availability for contract work; feel free to get in touch. Tokens of appreciation are very welcome if you've appreciated my assistance: BTC 1ExE5rD3n3dvmbSXBDtnLLjgGnPkBmfpk3

Updated on September 18, 2022

Comments

Highly Irregular over 1 year
I'm not exactly sure the right question to ask, so I'll try to explain what I'm trying to do.

I have an internal web application (in PHP) that I want to be able to create a folder. The trouble is that the Apache user www-data doesn't have any access to the parent folder that I want my folder to be created in.

I don't think it's appropriate to give www-data access to the parent folder, so I'm wondering if I can create a script somewhere that www-data can run which has more privileges than www-data does. The script would simply do something like this (psuedocode):
```
FOLDER_NAME = sanitise(<arg-val-1>)
mkdir /some-path/$FOLDER_NAME
```
Where would it be appropriate to create this script, and how would it be run by www-data as root? (Or alternatively, is there a better way to solve the problem?)

I'm running Debian Linux.
- Kevin over 11 years
  
  I believe if you give just x permission it will allow the user to traverse the parent folder (I.e. pass through it to access its folder) but not list its contents.
Highly Irregular over 11 years

Hmm, that's a good idea, but I think one that isn't ideal in my situation, as it may create confusion with backups and other location-based scripting.
John Siu over 11 years

update answer with local mount method.
Highly Irregular over 11 years

This stuff makes my head spin! Thanks for your effort on this; I will come back to it next week.