is it safe to chmod 775/664 with owner www-data:www-data?
18,607
Usually you just want to have upload folders or autogenerated files to be writable by the www-data
user.
Anyway, the risk you are opening here is that if your web application has any bug/vulnerability that might allow an attacker to execute code on your server, this code will execute as www-data
(the user the apache process is running) and it could completely delete all your websites.
Related videos on Youtube
Author by
Alex Hadley
Updated on September 18, 2022Comments
-
Alex Hadley almost 2 years
To make working with my webserver easiest I am proposing doing something like the following:
sudo chown www-data:www-data /var/www -R cd /var/www sudo find . -type f -exec chmod 664 {} \; sudo find . -type d -exec chmod 775 {} \;
I have my day-to-day user added to the www-data group too.
My question is: is this a foolish/risky permission set? Is giving www-data group those permissions opening my server up?
Thanks Alex
-
Admin almost 13 yearsThanks for the answers. So is the problem that www-data user has access, or the www-data group? I.e. the first or second 7?
-
Carlos Campderrós almost 13 yearsthe problem is the apache process having write access, doesn't matter if via user permissions or via group permissions.
-
Alex Hadley almost 13 yearsSo, I have created a new group and set the owner of
/var/www
(-R
) toroot:newgroup
where my everyday user is innewgroup
. Am I now safe to set directories to775
, and files664
? -
Carlos Campderrós almost 13 yearsyou should set permissions in directories to 2775, so new files and directories created there would be owned by the same group (
newgroup
in this case). There should be no worries now.
-
-
Admin almost 13 yearsThanks for your reply. So shoudl /var/www and sub files/folders really be owned by a different group and user then? My everyday user I guess, since I'm the only one who uses the server?
-
Carlos Campderrós almost 13 yearsYes it's possible. Indeed that's the setup I use on my personal computer when I'm developing. If I need some folder to be writable by apache (www-data user), then just execute
chgrp www-data upload_folder
andchmod g+ws upload_folder
. -
Alex Hadley almost 13 yearsExcellent, thanks for this. I saw in another question a recommendation to set ownership to root:group where group was a new group that any editing users should be added to. I guess that's the model to go for