is it safe to chmod 775/664 with owner www-data:www-data?
18,607
Usually you just want to have upload folders or autogenerated files to be writable by the www-data user.
Anyway, the risk you are opening here is that if your web application has any bug/vulnerability that might allow an attacker to execute code on your server, this code will execute as www-data (the user the apache process is running) and it could completely delete all your websites.
Related videos on Youtube
![EXPLAINED: How to use "chmod" command [COMPLETE GUIDE]](https://i.ytimg.com/vi/MFQpdELKTLc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBkBMsHPElLvAeNpsOuV5b3TN9_-g)
09 : 44
EXPLAINED: How to use "chmod" command [COMPLETE GUIDE]
12 : 31
Linux for Programmers #4 | chmod and File Permissions
09 : 28
Linux Basics - How to manage file permissions on linux ? Why we should not use chmod 777 ? (2022)
15 : 52
How to use chmod | Manage File Permissions in Linux
02 : 41
DevOps & SysAdmins: Is it safe to chmod 775/664 with owner www-data:www-data? (5 Solutions!!)
Author by
Alex Hadley
Updated on September 18, 2022Comments
-
Alex Hadley almost 2 years
To make working with my webserver easiest I am proposing doing something like the following:
sudo chown www-data:www-data /var/www -R cd /var/www sudo find . -type f -exec chmod 664 {} \; sudo find . -type d -exec chmod 775 {} \;I have my day-to-day user added to the www-data group too.
My question is: is this a foolish/risky permission set? Is giving www-data group those permissions opening my server up?
Thanks Alex
-
Admin almost 13 yearsThanks for the answers. So is the problem that www-data user has access, or the www-data group? I.e. the first or second 7? -
Carlos Campderrós almost 13 yearsthe problem is the apache process having write access, doesn't matter if via user permissions or via group permissions.
-
Alex Hadley almost 13 yearsSo, I have created a new group and set the owner of
/var/www(-R) toroot:newgroupwhere my everyday user is innewgroup. Am I now safe to set directories to775, and files664? -
Carlos Campderrós almost 13 yearsyou should set permissions in directories to 2775, so new files and directories created there would be owned by the same group (
newgroupin this case). There should be no worries now.
-
-
Admin almost 13 yearsThanks for your reply. So shoudl /var/www and sub files/folders really be owned by a different group and user then? My everyday user I guess, since I'm the only one who uses the server?
-
Carlos Campderrós almost 13 yearsYes it's possible. Indeed that's the setup I use on my personal computer when I'm developing. If I need some folder to be writable by apache (www-data user), then just execute
chgrp www-data upload_folderandchmod g+ws upload_folder. -
Alex Hadley almost 13 yearsExcellent, thanks for this. I saw in another question a recommendation to set ownership to root:group where group was a new group that any editing users should be added to. I guess that's the model to go for
