How to allow www-data to create a folder without giving read access to the parent folder
Solution 1
You can't do what you state in a useful way, but there's undoubtedly something that's close enough and that will do what you really want.
Even if you arranged to create the directory, the www-data
user would still not be able to access /some-path/subdirectory
, because the subdirectory can only be accessed through the parent directory. (There are ways around this, but none that I recommend. You can have a process that can access both /some-path
and /some-path/subdirectory
change to /some-path/subdirectory
, then drop privileges; the resulting process will still be able to access its current directory (but not through its absolute path). You can bind-mount the directory in another location, but if you're going to do that you might as well create the directory elsewhere.)
Arrange for these directories to be located under a directory that www-data
can at least access (x
permission bit). If the problem is that the directory must belong to another user and another group, set an access control list on the directory (setfacl -m user:www-data:x /some-path
) — see How to restrict to run commands in specific directory through SUDOERS? for more information.
If the www-data
user cannot write to /some-path
, you'll still need elevated privileges to create the directory. You'll need to do at least two things, perhaps three:
- create the subdirectory as a user with sufficient privileges;
- if necessary, change the ownership of the subdirectory;
- if necessary, change the permissions of the subdirectory.
If the subdirectory must belong to the www-data
user, you can create it as a group who can write to /some-path
. If necessary, set an ACL that allows some-group
to write to /some-path
: setfacl -m group:some-group:rwx /some-path
. Then give www-data
the right to execute the mkdir
command with sudo. Run visudo
and add the following rule:
www-data ALL = ( : some-group) /bin/mkdir /some-path/[0-9A-Z_a-z]*, !/bin/mkdir /some/path/[!-0-9A-Z_a-z]
This allows www-data
to run sudo -g some-group mkdir /some-path/foo-bar
to create subdirectories in /some-path
.
If the subdirectory must belong to another user who can write to some-path
, run the mkdir
command as that user. You might be able to arrange for the directory to have the correct permissions and ownership at creation time. For the sudoers
file:
www-data ALL = (some-user : some-group) /bin/mkdir -m 775 /some-path/[0-9A-Z_a-z]*, !/bin/mkdir /some/path/[!-0-9A-Z_a-z]
Run sudo -u some-user -g some-group mkdir -m 775 /some-path/foo-bar
to create a group-writable directory belonging to some-user:some-group
under /some-path
.
Solution 2
Not sure if the following way suite your situation or not:
Let assume following
- A www-data writable directory : /var/www/data
- Original intended paretn directory : /home/parent
Do this:
ln -s /var/www/data /home/parent/data
So instead of www-data writing directly under /home/parent, data can be access under parent through the soft link.
It can also be done with a local mount as follow
mount -o bind /var/www/data /home/parent/data
Or mount to parent directly
mount -o bind /var/www/data /home/parent
With local mount method, the destination directory behave as normal file system.
Related videos on Youtube
Highly Irregular
Am currently focused on WordPress website maintenance, management, security, and development. Experience in database driven web application programming, with interests in Bitcoin & cryptocurrencies, intuitive user experiences, PHP, databases, regular expressions, sustainability, and ethics. May have some availability for contract work; feel free to get in touch. Tokens of appreciation are very welcome if you've appreciated my assistance: BTC 1ExE5rD3n3dvmbSXBDtnLLjgGnPkBmfpk3
Updated on September 18, 2022Comments
-
Highly Irregular over 1 year
I'm not exactly sure the right question to ask, so I'll try to explain what I'm trying to do.
I have an internal web application (in PHP) that I want to be able to create a folder. The trouble is that the Apache user www-data doesn't have any access to the parent folder that I want my folder to be created in.
I don't think it's appropriate to give www-data access to the parent folder, so I'm wondering if I can create a script somewhere that www-data can run which has more privileges than www-data does. The script would simply do something like this (psuedocode):
FOLDER_NAME = sanitise(<arg-val-1>) mkdir /some-path/$FOLDER_NAME
Where would it be appropriate to create this script, and how would it be run by www-data as root? (Or alternatively, is there a better way to solve the problem?)
I'm running Debian Linux.
-
Kevin over 11 yearsI believe if you give just
x
permission it will allow the user to traverse the parent folder (I.e. pass through it to access its folder) but not list its contents.
-
-
Highly Irregular over 11 yearsHmm, that's a good idea, but I think one that isn't ideal in my situation, as it may create confusion with backups and other location-based scripting.
-
John Siu over 11 yearsupdate answer with local mount method.
-
Highly Irregular over 11 yearsThis stuff makes my head spin! Thanks for your effort on this; I will come back to it next week.