I really need an expert help. First time running my own VPS, afraid of everything.

The story:

1.Bought a small server from Linode lastweek.
2.Installed debian 8, setup lamp, setup my sites, domains and stuff.
3.Everything is working good but it's extremely hard to maintain the site because of permissions.

As I am a windows user at home, I am accessing my linode server thru two ways:
1. WinSCP
2. SmartTTY

I got 3 different users I need to wrestle every day (nobody other than me accessing the server, I am the sole admin):
Root
MyUser (sudo)
www-data (which apache created)

www-data and MyUser are in the same group

As root and www-data login is disabled I need to login with "MyUser", and sudo if needed. if I transfer anything to server with SCP, that file automatically belongs to "MyUser" and and that file doesn't have group write permissions by default. Then I have to give that file +g so apache can write to it.

And every moment in my last week, went past as I struggle with permissions.

and tonight I was trying to add a /etc/cron.daily job. Yet that directory belongs to "root", and "root" doesn't belong to any group, I need to sudo every command I give to create a blank file, retype file in nano. Because I couldn't be able to upload the file to that directory.

I am kind of afraid of relaxing the permissions, as my server sits in the wild like this, open to threats. But I am very close to giving all files to 777.

Then I wonder, maybe I'm doing something wrong. Is this that awaits me? Is this a life of a linux user, fighting with permissions, every day at every hour?

How do I survive? Can you give me a permission advice? do I need to add "MyUser" to root group? of what if change the ownership of all directories to "MyUser"? What is the security risk regarding using 775 (which I'm using time to time).

TLDR; so here is a short version:

I want to control my server without permissions get in my way, but without generating any security holes. Is it possible?

I know this isn't the answer you want, but, the account running a service that is exposed to a hostile Internet and you want that account walled off from the rest of the system.

I would not advise adding your user account to the account running apache.

1 members found this post helpful.

Yes, but you'll have to set the permissions to enable you to do your job without getting in the way. For any of us to give more specific advice on that, we'd have to know more about what you plan to do and a little about your work flow. However, there is some generic advice:

First, remove extra users from the www-data group. Only the www-data account should be in it. Its purpose is to be an unprivileged account for the HTTP daemon to use. It has read-only access to the web server's document root, if you have not changed the default directory permissions there yet. The concepts involved there are "least privilege" and "privilege separation".

Second, if it were my server, I'd make a second, less privileged account and use that to connect and for daily work. I'd only use the privileged (sudo) account after logging in through the unprivileged account and actually block it from a direct connection for defense in depth / layered security. Use AllowGroups or AllowUsers in the SSH daemon's configuration file to allow only the unprivileged user remote access. Then use "su" to become the admin user as needed. See "man sshd_config"

Third, why do you want Apache to write to the files you have uploaded? In normal operation, it only needs read access. What problem are you trying to solve? If you want to write your own files to the web server's document root, then you not Apache need write permissions to the relevant directories for your account. And if it's just you, you can chown those directories and that is enough. If you will have more than one user sharing those directories it is a little trickier on GNU/Linux than on the BSDs or on (defunct) Netware. See this blog post if that is your goal.

Let us know and we can provide more specific advice and tips.

if you are just starting with all this, i strongly recommend to stick to the most conservative and wide-spread approach there is; often years later i found out that this was the right (safest) approach after all, even if it felt cumbersome at the time.

in other words, if apache documentation tells you to have these three users, that's how you should do it.

1 members found this post helpful.

One more aspect: remember, if it was hard for you it will be also hard for an intruder (hopefully). but if you make it easy for yourself you will make it easy for others too.
it is not fighting with permissions but (unfortunately) fighting against intruders.

My very public webserver utilizes three users:
1. root
2. an unprivileged user that owns and maintains the web content files* The "website owner"
3. the apache user...mine is "nobody" (it's a very old server), yours is www-data

*There a actually several of these, as there are different users for multiple websites.

"owner" files are 644/755 They are not members of the apache user group. As has been stated, the web server only needs to be able to read those to serve them...it does not need write access to them.
The only files that are owned by the apache user are those created by CGI scripts on websites. (We do a lot of web-based application development)...and those can be chowned after creation to an "owner" if that's appropriate.
When I do maintenance on the web server, I su - to do it, otherwise, interaction with content is as an "owner"

If you're using WordPress, there are some additional considerations, I got this from somone's signature here: WordPress Security

From windows, I use PuTTY and WINSCP. If I need to change the server config, I use PuTTY to ssh to the server, su -, tweak what I need and exit. That's fairly infrequent. You shouldn't need to mess with the server configuration often.

All other maintenance is of the "owner" files (at least the one's I maintain...some customers maintain their own) and is done via WINSCP using sftp. I do not have to modify files once uploaded (or updated "in place" which is what can happen with WINSCP)

1 members found this post helpful.

thanks for your replies, I think I kind of understand the seriousness of the situation.

But I generally develop on my own computer (php scripts and such) then upload to server via winSCP. And then when php (and some data files) executed by apache's www-data user, and that user cannot read from my WinScp user which is "Myuser". So even if I chown that php scripts to www-data, they are not writeble as www-data only has read access.

Also, if I remove my user from www-data group, this time I cannot delete or modify files thru SCP/sftp.

this is my current group structure:

sudo:x:22:MyUser
MyUser:x:1000:www-data
www-data:x:31:MyUser

So, I must remove MyUser from group 1000. but is it a problem if I keep MyUser in www-data group?

this is exactly what I was looking for. Thank you very much.


edit:
I follow the blog post. But my problem persists:

I think my problem lies in the fact that my scripts uses too much file operations. There are countless php scripts that modify files on the web root, I have to cherry pick all those files to give them proper access. And when scripts create a new file which belongs to www-data, I cannot modify them with SCP, I need to log in, sudo, set proper access privileges to those files and exit. I think I need a plan or change my view of how I access those files as server admin.

If you can, it would be a Very Good Idea to separate the directories into ones that handle only data and ones that contain only scripts or anything script-like. So that way you won't have to mix functionality. You can keep the files with scripts read-only, from the HTTP daemon's perspective, in read-only directories and allow things to be written in the data directories where nothing can run. The principle there is things can be either executable or writable but not both: W^X The intention is that in case of a successful breach an unwelcome visitor cannot write their own scripts and run them.

So a plan is needed. It might take a bit of work on a whiteboard or a large piece of paper or two. Remember, a week of coding can save several hours of planning.

1 members found this post helpful.

you need a workspace, where you edit your files and an "install" area where they are in use. And you need only one script which will copy those files from workspace (and obviously set permissions).

1 members found this post helpful.

Ok, now I am more aware of my problem. I'll take look of scripts that create or modify files and plan accordingly.

I'll be asking more questions in the future. Thank you all.

Rather than create a blank file and retype everything, you can change the owner of the fileor of a directory and its contents

No! GID 1000 is the first non-system user on the system. Don't remove your user from that group.

Remove your user account from the www-data group. And then remove the www-data group from your user account group. Those are two different commands.