How to setup linux permissions the WWW folder?
Posted
by Xeoncross
on Server Fault
See other posts from Server Fault
or by Xeoncross
Published on 2010-03-22T01:21:39Z
Indexed on
2010/03/24
3:43 UTC
Read the original article
Hit count: 439
Updated Summery
The /var/www directory is owned by root:root
which means that no one can use it and it's entirely useless. Since we all want a web server that actually works (and no-one should be logging in as "root"), then we need to fix this.
Only two entities need access.
PHP/Perl/Ruby/Python all need access to the folders and files since they create many of them (i.e.
/uploads/
). These scripting languages should be running under nginx or apache (or even some other thing like FastCGI for PHP).The developers
How do they get access? I know that someone, somewhere has done this before. With however-many billions of websites out there you would think that there would be more information on this topic.
I know that 777 is full read/write/execute permission for owner/group/other. So this doesn't seem to be needed as it leaves random users full permissions.
What permissions are need to be used on /var/www
so that...
- Source control like git or svn
- Users in a group like "websites" (or even added to "www-data")
- Servers like apache or lighthttpd
- And PHP/Perl/Ruby
can all read, create, and run files (and directories) there?
If I'm correct, Ruby and PHP scripts are not "executed" directly - but passed to an interpreter. So there is no need for execute permission on files in /var/www
...? Therefore, it seems like the correct permission would be chmod -R 1660
which would make
- all files shareable by these four entities
- all files non-executable by mistake
- block everyone else from the directory entirely
- set the permission mode to "sticky" for all future files
Is this correct?
Update: I just realized that files and directories might need different permissions - I was talking about files above so i'm not sure what the directory permissions would need to be.
Update 2: The folder structure of /var/www
changes drastically as one of the four entities above are always adding (and sometimes removing) folders and sub folders many levels deep. They also create and remove files that the other 3 entities might need read/write access to. Therefore, the permissions need to do the four things above for both files and directories. Since non of them should need execute permission (see question about ruby/php above) I would assume that rw-rw-r--
permission would be all that is needed and completely safe since these four entities are run by trusted personal (see #2) and all other users on the system only have read access.
Update 3: This is for personal development machines and private company servers. No random "web customers" like a shared host.
Update 4: This article by slicehost seems to be the best at explaining what is needed to setup permissions for your www folder. However, I'm not sure what user or group apache/nginx with PHP OR svn/git run as and how to change them.
Update 5: I have (I think) finally found a way to get this all to work (answer below). However, I don't know if this is the correct and SECURE way to do this. Therefore I have started a bounty. The person that has the best method of securing and managing the www directory wins.
© Server Fault or respective owner