Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I usually set up a directory under /var/www/html owned by your user with permissions set to 755. Put the content in there.
Set the DocumentRoot to that sub directory.
Doesn’t the web server process need access to that directory though? How is that accomplished in that scenario?
It has read access to the directory and the files therein as on “other” or “world” user. That’s all it needs to be able to serve the files...to be able to read them.
The owning user has rw group and others are read...for files: -rw-r—r—
for the directory: -rwxr-r-xr-x
pedro@pedro-school2:~$ groups apache
groups: ‘apache’: no such user
pedro@pedro-school2:~$ groups apache2
groups: ‘apache2’: no such user
pedro@pedro-school2:~$
No user apache or apache2
Should I create a user apache and make him the owner of /var/www?
Should I make a group apache and add myself to it? Or just make myself the owner of /var/www
See #3
I host more than 70 domains...none of their spaces are owned by the web server user, nor are any of the owning users a member of the web server users group.
No. And root should not be the owner of the files in the Web space...the web server user should be...
No. That is quite incorrect. Apache2 should have read access only, not write access. I'm not sure why that misperception is around at all. It would violate the privilege separation provided by running Apache2 as a separate account to have that very same account be able to write pages which it is serving up.
Anyway, if there is and will be only one account needing access, the quick way is to chown the directories and documents under /var/www/html/ to whatever single user needs access. Be sure that Apache2 can still read the files through o=r and the directories through o=rx.
The owner:group for the /var/www directory is usually apache:apache. For some reason, the developers at debian/ubuntu decided to change that to www-data:www-data so that is the owner:group you need for that directory on Ubuntu. You can then put other user in the www-data group and you can create sub-directories under /var/www/html with different users/groups.
The owner:group for the /var/www directory is usually apache:apache. For some reason, the developers at debian/ubuntu decided to change that to www-data:www-data so that is the owner:group you need for that directory on Ubuntu. You can then put other user in the www-data group and you can create sub-directories under /var/www/html with different users/groups.
That is incorrect. Please reconsider that the account and group www-data exist to provide privilege separation. That goes out the window if either are somehow given write access to anywhere.
By default, the normal owner for the /var/www/ directory is root:root. Even in the Debian derivatives that is so. There does exist an account www-data and a group www-data, but neither are used for the file system. The are only used to keep the httpd processes separate from the rest of the system. Giving the HTTP daemon write access weakens the resliance of the system in regards to attack.
Again, the group www-data should not be used for /var/www/ nor should the account www-data be used for /var/www/ except in a few fringe edge cases. For a normal web service, the only thing www-data needs is to be able to read /var/www/ and that can be done with the normal drwxr-xr-x aka 755 directory permissions.
No. That is quite incorrect. Apache2 should have read access only, not write access. I'm not sure why that misperception is around at all. It would violate the privilege separation provided by running Apache2 as a separate account to have that very same account be able to write pages which it is serving up.
Anyway, if there is and will be only one account needing access, the quick way is to chown the directories and documents under /var/www/html/ to whatever single user needs access. Be sure that Apache2 can still read the files through o=r and the directories through o=rx.
Either way the account and group that Apache2 is in should not be given write access nor should that group get any other accounts added to it.
I stand corrected. You are absolutely correct. The owner of the webspace should NOT be the web server user.
I apologize for any confusion.
I still disagree about using groups to manage multiple users in that space however.
A snippet of the setup on my server:
Code:
# ll /var/www/html
total 108
drwxr-xr-x. 7 user1web ftpusers 8192 Feb 26 2018 site1
drwxr-xr-x. 18 user2web ftpusers 16384 Nov 20 11:48 site2
drwxr-xr-x. 3 scaseyweb ftpusers 4096 Nov 27 2014 site3
drwxr-xr-x. 5 scaseyweb ftpusers 4096 Mar 27 2019 site4
Users user1 and user2 have ftp access to the content they maintain themselves.
We maintain the content on site3 and site4, so those are both owned by us.
As all those directories (and the files therein) are "world readable" the web user can serve them.
I still disagree about using groups to manage multiple users in that space however.
If you have only one user, then that is the most convenient way.
Once you have more than one, the groups come into play. In some file systems, ACLs max out at much less than two dozen accounts, I cannot recall what the limit is for EXT4 though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
edro
