How to setup linux permissions the WWW folder?
- by Xeoncross
Updated Summery
The /var/www directory is owned by root:root which means that no one can use it and it's entirely useless. Since we all want a web server that actually works (and no-one should be logging in as "root"), then we need to fix this.
Only two entities need access.
PHP/Perl/Ruby/Python all need access to the folders and files since they create many of them (i.e. /uploads/). These scripting languages should be running under nginx or apache (or even some other thing like FastCGI for PHP).
The developers
How do they get access? I know that someone, somewhere has done this before. With however-many billions of websites out there you would think that there would be more information on this topic.
I know that 777 is full read/write/execute permission for owner/group/other. So this doesn't seem to be needed as it leaves random users full permissions.
What permissions are need to be used on /var/www so that...
Source control like git or svn
Users in a group like "websites" (or even added to "www-data")
Servers like apache or lighthttpd
And PHP/Perl/Ruby
can all read, create, and run files (and directories) there?
If I'm correct, Ruby and PHP scripts are not "executed" directly - but passed to an interpreter. So there is no need for execute permission on files in /var/www...? Therefore, it seems like the correct permission would be chmod -R 1660 which would make
all files shareable by these four entities
all files non-executable by mistake
block everyone else from the directory entirely
set the permission mode to "sticky" for all future files
Is this correct?
Update: I just realized that files and directories might need different permissions - I was talking about files above so i'm not sure what the directory permissions would need to be.
Update 2: The folder structure of /var/www changes drastically as one of the four entities above are always adding (and sometimes removing) folders and sub folders many levels deep. They also create and remove files that the other 3 entities might need read/write access to. Therefore, the permissions need to do the four things above for both files and directories. Since non of them should need execute permission (see question about ruby/php above) I would assume that rw-rw-r-- permission would be all that is needed and completely safe since these four entities are run by trusted personal (see #2) and all other users on the system only have read access.
Update 3: This is for personal development machines and private company servers. No random "web customers" like a shared host.
Update 4: This article by slicehost seems to be the best at explaining what is needed to setup permissions for your www folder. However, I'm not sure what user or group apache/nginx with PHP OR svn/git run as and how to change them.
Update 5: I have (I think) finally found a way to get this all to work (answer below). However, I don't know if this is the correct and SECURE way to do this. Therefore I have started a bounty. The person that has the best method of securing and managing the www directory wins.