Is it safe (secure) to change the owner of the html/ folder in Apache?

apache2 root chmod amazon-ec2 ownership
5,069

It is perfectly safe to change ownership of files in /var/www, and indeed anything in that folder is yours to edit and change how you wish.

For example, if user tsmith needs to be able to write to files in /var/www/myweb then it's perfectly fine to set the owner of these files to tsmith. Or if you prefer, keep the owner as root and require tsmith to sudo in order to write to them - if you trust him/her with sudo.

If you have multiple users that need to be able to edit the files, and you don't want to give them sudo, you could alternatively use group membership, eg create a group and add users to that group, then set group ownership and group write to the relevant files to enable members of that group to modify those files. When doing this you will probably want to use the SetGID bit (chmod g+s dir) on the containing directory to ensure new files inherit the same group ownership, and umask 002 in each user's ~/.profile to ensure they get group write permission, otherwise any new files will only be editable by their creator and not other members of the group.

You should however be aware of the following bad practices:

  • Do not set ownership of any files to the www-data user, or the www-data group if you are giving group write permissions. The whole point of the www-data user is that it is an unprivileged user, not able to write to any files. Server daemons accessible from the outside network (such as the web server) typically run as an unprivileged user so that in the event that they are hacked due to a vulnerability, the possible things the attacker can do is minimal.

    Exception: some web apps require write access to certain files and folders in order to implement things like attachment storage, etc. In these cases you should set ownership to www-data ONLY for those files, keeping the number of files writable by www-data at a minimum.

  • For the same reason, don't set any files to be world-writable.

  • If creating groups, don't re-purpose existing user groups like admin, sudo or especially www-data, which already have purposes in Ubuntu because this may reduce system security if those groups were not intended to be able to write to files. Instead, create your own groups and add members to those.

Share:
5,069
kos
Author by

kos

Full-time Linux user. Currently dual-booting Parabola and Ubuntu. I've read and signed the Ubuntu Code of Conduct. My Launchpad profile

Updated on September 18, 2022

Comments

  • kos
    kos almost 2 years

    I know how to use chmod and stuff so that is not the question. I have a little server (Ubuntu LTS ) running with Apache on it with the standard folder in /var/www/html/. By default root is the owner of the html/ folder.

    Question: Is it safe (secure) to change the owner of the html/ folder?

    • Marton
      Marton about 9 years
      So I don't know anyting about apache but as which user is it started because if it's started as root i would definitly change that. But I think the ownership of the html files doesn't really matter.
    • Esref
      Esref about 9 years
      Looking at the following link may be useful : wiki.apache.org/httpd/FileSystemPermissions
  • thomasrutter
    thomasrutter about 9 years
    Having any files owned by www-data is a security risk because it breaks the principle that the www-data user should have no write access to any files. It is, however, necessary with some web apps that need to store files in the filesystem. When this is the case, www-data ownership should ONLY be given to these particular files and folders that you need to be writable by the web server, not to a whole website. That is, you want to keep the number of files writable by the www-data user to a minimum.
  • MGT
    MGT about 9 years
    Many thanks for your answer. The use case is for an Amazon Ubuntu EC2 instance. I use Cyberduck to login to the system and as long as you can only login as "ubuntu" user I have to SSH in first change the permissions of the folder and when done change it back. By changing the owner to "ubuntu" I do not have to do that anymore, but I was concerned if changing the /html folder to "ubuntu" if that was a good idea. Is it an good idea to change the files inside the folder to "ubuntu" too?
  • thomasrutter
    thomasrutter about 9 years
    Those Ubuntu images simply set up a normal user account with the name "ubuntu" so you can use it like your own account ie it's not a built-in system account. It should be fine to change ownership of anything in /var/www including files and directories to that account. In terms of security risk an attacker would need to somehow get the privileges of your personal account which should be difficultâ„¢ (no daemons run as this user, hopefully you have key based SSH auth and don't allow root login).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to run sudo command as root?
Change ssl port of apache2 server. (ERR_SSL_PROTOCOL_ERROR)
Making file in user's homedir accessible from web/webserver
How do I unprotect a file which is owned by root?
What are the default permissions for /root?
Reset default permissions for /var/www
Root directory '/' locked after using chmod
What will be result of chmod -R 777
Sudoers.d Permissions denied
Permissions for apache webroot folder on dev server?