Specific user account for Apache in the /var/www directory

linux debian apache-httpd users
5,138

Solution 1

You do not need a new user just ensure the group is always www-data. You chmod the actual dir to have the setgid bit, and all new files created under it will have the www-data group.

So, to make sure if you need to place files there with your user, that it keeps the right group, run, and chmod to set the setGID of the directory.

sudo chgrp www-data /var/www
sudo chmod +g /var/www

http://blog.superuser.com/2011/04/22/linux-permissions-demystified/

As for the user, after creating the user (as nkts suggests) where M is for not creating the home dir, and the N option is for not creating the default group identical to the user.

sudo useradd -d /var/www/ -g www-data -M -N -s /sbin/nologin user

I would setup it to SFTP instead of FISH as it is more secure, reliable, and very flexible. You also have to chroot it to his home to make sure he has no access to the rest of the file system, and restrict it to internal-sftp. Add to /etc/ssh/sshd_config

Match User user
    ChrootDirectory /var/www
    ForceCommand internal-sftp

Note: FISH is more an archaic curiosity and a shell that was used before SFTP.

If you still want to use FISH in Ubuntu:

sudo apt-add-repository ppa:fish-shell/release-2
sudo apt-get update
sudo apt-get install fish

And then change the shell of the user

chsh -s /usr/bin/fish

We also have again to force the shell in /etc/ssh/sshd_config

Match User user
    ForceCommand /usr/bin/fish

This article will also help you with FISH

https://hackercodex.com/guide/install-fish-shell-mac-ubuntu/

The restriction to the homedir with fish should be possible, but more complicated to setup, and difficult to enforce as it would be easier if the owner of /var/www is www-data.

To setup such restriction, you would need at least to copy /usr/bin/fish to inside /var/www (which is not a good idea), and for /var/www and /usr/bin/fish to be owned by root (which also invalidates the recommendation of changing the setGID of the /var/www directory.

As mentioned previously, SFTP is a more modern and more secure way to setup a remote file-only access than FISH.

Solution 2

You can create new user with following command (I assume you're on RHEL compatible distribution):

# useradd -d /var/www/ -g www-data -M -N -s /sbin/nologin user

I have no idea which application is providing access via fish protocol.

Share:
5,138

Related videos on Youtube

Designs Edge
Author by

Designs Edge

Updated on September 18, 2022

Comments

  • Designs Edge
    Designs Edge over 1 year

    I will explain as best I can. On my previous server my friend set up a user called webslave.

    This user's home directory was /var/www. When I would use FISH protocol to transfer files (using Krusader) user was logged in as webslave@host.

    When this user made changes, the group was always intact www-data, for example.

    On my new server, I use my username name@host and often the files are owned by me and my group.

    I would like to add a user as described above that has www-data as it's primary group and no access outside /var/www.

    Just want to make sure I do this the right way.

    Glad to clarify - All help appreciated - Thanks in advance!

    • Designs Edge
      Designs Edge over 8 years
      Note, my key access accessed the user.
  • Rui F Ribeiro
    Rui F Ribeiro over 8 years
    FISH works via SSH en.wikipedia.org/wiki/Files_transferred_over_shell_protocol and shell limits in passwd over SSH cannot be enforced securely. i.e. there are ways to easily bypass them.
  • Designs Edge
    Designs Edge over 8 years
    Thanks a lot, somehow missed this functionality - why I love Linux, learn something new and useful every day. I have also started connecting with only SFTP. (Fish was shown to me by my friend as an example).
  • Rui F Ribeiro
    Rui F Ribeiro over 8 years
    Glad to know. Have a look at mod_evasive too.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Overriding OpenSSL CipherString at a more granular level in Debian 10?
How to restrict a linux user to read only specific folder
Which users are allowed to log in via SSH by default?
What user should apache and PHP be running as? What permissions should /var/www files have?
PureOS ISO (on USB) unavailable for boot (EFI) on Mac OS X
What is the BOOT_IMAGE parameter in /proc/cmdline
Kali Linux (Debian) can't install pip.py
Why autoconf.h is not copied automatically to its place?
Daemonizing a python script in debian using virtualenv
How to reduce PDF filesize