Is it safe (secure) to change the owner of the html/ folder in Apache?
It is perfectly safe to change ownership of files in /var/www
, and indeed anything in that folder is yours to edit and change how you wish.
For example, if user tsmith
needs to be able to write to files in /var/www/myweb
then it's perfectly fine to set the owner of these files to tsmith
. Or if you prefer, keep the owner as root
and require tsmith
to sudo in order to write to them - if you trust him/her with sudo.
If you have multiple users that need to be able to edit the files, and you don't want to give them sudo, you could alternatively use group membership, eg create a group and add users to that group, then set group ownership and group write to the relevant files to enable members of that group to modify those files. When doing this you will probably want to use the SetGID bit (chmod g+s dir
) on the containing directory to ensure new files inherit the same group ownership, and umask 002
in each user's ~/.profile
to ensure they get group write permission, otherwise any new files will only be editable by their creator and not other members of the group.
You should however be aware of the following bad practices:
Do not set ownership of any files to the
www-data
user, or thewww-data
group if you are giving group write permissions. The whole point of thewww-data
user is that it is an unprivileged user, not able to write to any files. Server daemons accessible from the outside network (such as the web server) typically run as an unprivileged user so that in the event that they are hacked due to a vulnerability, the possible things the attacker can do is minimal.Exception: some web apps require write access to certain files and folders in order to implement things like attachment storage, etc. In these cases you should set ownership to
www-data
ONLY for those files, keeping the number of files writable bywww-data
at a minimum.For the same reason, don't set any files to be world-writable.
If creating groups, don't re-purpose existing user groups like
admin
,sudo
or especiallywww-data
, which already have purposes in Ubuntu because this may reduce system security if those groups were not intended to be able to write to files. Instead, create your own groups and add members to those.
![kos](https://i.stack.imgur.com/jszIp.jpg?s=256&g=1)
kos
Full-time Linux user. Currently dual-booting Parabola and Ubuntu. I've read and signed the Ubuntu Code of Conduct. My Launchpad profile
Updated on September 18, 2022Comments
-
kos almost 2 years
I know how to use chmod and stuff so that is not the question. I have a little server (Ubuntu LTS ) running with Apache on it with the standard folder in
/var/www/html/
. By default root is the owner of thehtml/
folder.Question: Is it safe (secure) to change the owner of the
html/
folder?-
Marton about 9 yearsSo I don't know anyting about apache but as which user is it started because if it's started as root i would definitly change that. But I think the ownership of the html files doesn't really matter.
-
Esref about 9 yearsLooking at the following link may be useful : wiki.apache.org/httpd/FileSystemPermissions
-
-
thomasrutter about 9 yearsHaving any files owned by www-data is a security risk because it breaks the principle that the www-data user should have no write access to any files. It is, however, necessary with some web apps that need to store files in the filesystem. When this is the case, www-data ownership should ONLY be given to these particular files and folders that you need to be writable by the web server, not to a whole website. That is, you want to keep the number of files writable by the www-data user to a minimum.
-
MGT about 9 yearsMany thanks for your answer. The use case is for an Amazon Ubuntu EC2 instance. I use Cyberduck to login to the system and as long as you can only login as "ubuntu" user I have to SSH in first change the permissions of the folder and when done change it back. By changing the owner to "ubuntu" I do not have to do that anymore, but I was concerned if changing the /html folder to "ubuntu" if that was a good idea. Is it an good idea to change the files inside the folder to "ubuntu" too?
-
thomasrutter about 9 yearsThose Ubuntu images simply set up a normal user account with the name "ubuntu" so you can use it like your own account ie it's not a built-in system account. It should be fine to change ownership of anything in
/var/www
including files and directories to that account. In terms of security risk an attacker would need to somehow get the privileges of your personal account which should be difficultâ„¢ (no daemons run as this user, hopefully you have key based SSH auth and don't allow root login).