Apache security question: chmod 777 vs usermod -a -G

mrbinky3000 · 04-14-2010, 01:35 PM

I debated asking this in the newbie forum. However, it deals more with security, so here it goes...

Which is the better practice for allowing the web server (user apache, group apache) to write / delete files in a user's directory (user jones, group jones). Lets say, the directory in question is called "cache".

should I do the following

Code:

chmod 777 cache

OR... should I add the web sever (user apache, group apache) to the "jones" group via the command:

Code:

usermod -a -G jones apache

Also, if I do let apache join the jones group, and there is directory is called "cache" where I want apache and jones to be able to write and delete files, should I set the permissions to that directory to 664 or 755.

They both work. Which is more secure.

Thanks in advance.

- mrb3k

anomie · 04-14-2010, 02:12 PM

Definitely the latter. You don't want to have to worry about world writeable files or directories on your system. They will give you a serious headache one day.

Make the /cache/ directory owned by apache:jones, add apache to the jones group (assuming that won't introduce other security problems for you), and then put the guid bit on the /cache/ directory (so that group ownership always defaults to jones for new files).

# chmod 2770 cache

SuperJediWombat! · 04-18-2010, 08:53 AM

Or if Jones doesn't want apache to have access to all of his things:

Create a new group called jonescache (or something similar)
Join both jones and apache to that group
Set the group ownership of cache/ to the new group
Set the guid bit on the folder

jennypatel · 08-27-2010, 12:11 AM

The usermod -a -G is more secure than the chmod 777. There is no need to maintain the writable files and directories in the second option.