LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-13-2020, 07:26 PM   #1
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 18.04
Posts: 1,778

Rep: Reputation: 67
change permissions for /var/www/html


I got a book PHP & MySQL: Novice to Ninja by Kevin Yank. I want to learn a bit about these two topics.

Following the instructions, I installed apache2, mysql and php

I run Ubuntu 18.04. I use Bluefish to make files.

Trouble is, when I want to save the file in /var/www/html from Bluefish, I can't.

I've got to sudo them in.

Quote:
sudo mv /home/pedro/Desktop/today.php /var/www/html/
Without causing a security problem, what is the best way to change the permissions?

Make a group and add myself?

Actually, I am the only user on this old laptop.
 
Old 01-13-2020, 07:54 PM   #2
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Posts: 1,207

Rep: Reputation: 463Reputation: 463Reputation: 463Reputation: 463Reputation: 463
Don’t get in the Windows mindset and lessen permissions. Sudo is the correct way to do this.
 
1 members found this post helpful.
Old 01-13-2020, 08:14 PM   #3
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,248

Rep: Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483
I usually set up a directory under /var/www/html owned by your user with permissions set to 755. Put the content in there.
Set the DocumentRoot to that sub directory.
 
1 members found this post helpful.
Old 01-13-2020, 08:32 PM   #4
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Posts: 1,207

Rep: Reputation: 463Reputation: 463Reputation: 463Reputation: 463Reputation: 463
Doesn’t the web server process need access to that directory though? How is that accomplished in that scenario?
 
1 members found this post helpful.
Old 01-13-2020, 08:44 PM   #5
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 18.04
Posts: 1,778

Original Poster
Rep: Reputation: 67
root is the owner of /var/www/html/

root is also the group

Can I add myself to group root? Would that allow me read write access when saving from Bluefish?

Is that a reasonable way to do this?
 
Old 01-13-2020, 08:45 PM   #6
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,248

Rep: Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483
Quote:
Originally Posted by sevendogsbsd View Post
Doesn’t the web server process need access to that directory though? How is that accomplished in that scenario?
It has read access to the directory and the files therein as on “other” or “world” user. That’s all it needs to be able to serve the files...to be able to read them.
The owning user has rw group and others are read...for files: -rw-r—r—
for the directory: -rwxr-r-xr-x
 
2 members found this post helpful.
Old 01-13-2020, 08:47 PM   #7
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,248

Rep: Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483
Quote:
Originally Posted by Pedroski View Post
root is the owner of /var/www/html/

root is also the group

Can I add myself to group root? Would that allow me read write access when saving from Bluefish?

Is that a reasonable way to do this?
No. And root should not be the owner of the files in the Web space...the web server user should be...typically that’s apache.

Last edited by scasey; 01-13-2020 at 08:49 PM.
 
2 members found this post helpful.
Old 01-13-2020, 09:40 PM   #8
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 18.04
Posts: 1,778

Original Poster
Rep: Reputation: 67
Quote:
pedro@pedro-school2:~$ groups apache
groups: ‘apache’: no such user
pedro@pedro-school2:~$ groups apache2
groups: ‘apache2’: no such user
pedro@pedro-school2:~$
No user apache or apache2

Should I create a user apache and make him the owner of /var/www?

Should I make a group apache and add myself to it? Or just make myself the owner of /var/www

I just don't know the best way to do this.
 
Old 01-13-2020, 09:49 PM   #9
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 18.04
Posts: 1,778

Original Poster
Rep: Reputation: 67
Quote:
getent group
shows no group apache

It does have a group www-data:x:33:

Quote:
sudo:x:27edro
audio:x:29ulse
dip:x:30edro
www-data:x:33:
Should I be in that group maybe?
 
Old 01-13-2020, 10:28 PM   #10
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,248

Rep: Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483
Quote:
Originally Posted by Pedroski View Post
shows no group apache

It does have a group www-data:x:33:



Should I be in that group maybe?
See #3
I host more than 70 domains...none of their spaces are owned by the web server user, nor are any of the owning users a member of the web server users group.
 
Old 01-14-2020, 12:30 AM   #11
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,364
Blog Entries: 3

Rep: Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177
Quote:
Originally Posted by scasey View Post
No. And root should not be the owner of the files in the Web space...the web server user should be...
No. That is quite incorrect. Apache2 should have read access only, not write access. I'm not sure why that misperception is around at all. It would violate the privilege separation provided by running Apache2 as a separate account to have that very same account be able to write pages which it is serving up.

Anyway, if there is and will be only one account needing access, the quick way is to chown the directories and documents under /var/www/html/ to whatever single user needs access. Be sure that Apache2 can still read the files through o=r and the directories through o=rx.

However, if you have multiple accounts needing write access, then you'll have to add an extra group just for that purpose and work with that.

Either way the account and group that Apache2 is in should not be given write access nor should that group get any other accounts added to it.
 
2 members found this post helpful.
Old 01-14-2020, 11:44 AM   #12
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 8,823

Rep: Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842Reputation: 1842
The owner:group for the /var/www directory is usually apache:apache. For some reason, the developers at debian/ubuntu decided to change that to www-data:www-data so that is the owner:group you need for that directory on Ubuntu. You can then put other user in the www-data group and you can create sub-directories under /var/www/html with different users/groups.
 
1 members found this post helpful.
Old 01-14-2020, 12:08 PM   #13
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,364
Blog Entries: 3

Rep: Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177
Quote:
Originally Posted by yancek View Post
The owner:group for the /var/www directory is usually apache:apache. For some reason, the developers at debian/ubuntu decided to change that to www-data:www-data so that is the owner:group you need for that directory on Ubuntu. You can then put other user in the www-data group and you can create sub-directories under /var/www/html with different users/groups.
That is incorrect. Please reconsider that the account and group www-data exist to provide privilege separation. That goes out the window if either are somehow given write access to anywhere.

By default, the normal owner for the /var/www/ directory is root:root. Even in the Debian derivatives that is so. There does exist an account www-data and a group www-data, but neither are used for the file system. The are only used to keep the httpd processes separate from the rest of the system. Giving the HTTP daemon write access weakens the resliance of the system in regards to attack.

Again, the group www-data should not be used for /var/www/ nor should the account www-data be used for /var/www/ except in a few fringe edge cases. For a normal web service, the only thing www-data needs is to be able to read /var/www/ and that can be done with the normal drwxr-xr-x aka 755 directory permissions.
 
Old 01-14-2020, 12:25 PM   #14
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,248

Rep: Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483Reputation: 1483
Quote:
Originally Posted by Turbocapitalist View Post
No. That is quite incorrect. Apache2 should have read access only, not write access. I'm not sure why that misperception is around at all. It would violate the privilege separation provided by running Apache2 as a separate account to have that very same account be able to write pages which it is serving up.

Anyway, if there is and will be only one account needing access, the quick way is to chown the directories and documents under /var/www/html/ to whatever single user needs access. Be sure that Apache2 can still read the files through o=r and the directories through o=rx.

However, if you have multiple accounts needing write access, then you'll have to add an extra group just for that purpose and work with that.

Either way the account and group that Apache2 is in should not be given write access nor should that group get any other accounts added to it.
I stand corrected. You are absolutely correct. The owner of the webspace should NOT be the web server user.
I apologize for any confusion.

I still disagree about using groups to manage multiple users in that space however.
A snippet of the setup on my server:
Code:
# ll /var/www/html
total 108
drwxr-xr-x.  7 user1web     ftpusers  8192 Feb 26  2018 site1
drwxr-xr-x. 18 user2web     ftpusers 16384 Nov 20 11:48 site2
drwxr-xr-x.  3 scaseyweb    ftpusers  4096 Nov 27  2014 site3
drwxr-xr-x.  5 scaseyweb    ftpusers  4096 Mar 27  2019 site4
Users user1 and user2 have ftp access to the content they maintain themselves.
We maintain the content on site3 and site4, so those are both owned by us.
As all those directories (and the files therein) are "world readable" the web user can serve them.

/var/www/html is owned by root:root.
 
Old 01-14-2020, 12:31 PM   #15
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,364
Blog Entries: 3

Rep: Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177Reputation: 2177
Quote:
Originally Posted by scasey View Post
I still disagree about using groups to manage multiple users in that space however.
If you have only one user, then that is the most convenient way.

Once you have more than one, the groups come into play. In some file systems, ACLs max out at much less than two dozen accounts, I cannot recall what the limit is for EXT4 though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
index.html file for apache2 from var/www/html for debian test2017 Linux - Networking 2 07-25-2017 04:38 PM
[SOLVED] get var value when var name is part of another var bilyboy65 Linux - Newbie 9 10-21-2012 10:32 AM
Nginx + Apache. Always get /var/www/html/index.html angryrabbit Linux - Server 1 11-27-2011 05:56 PM
adding index.html to /var/www/html not working dannyboy990 Linux - Newbie 1 09-30-2007 09:43 AM
index.html is not noticed in /var/www/html xviddivxoggmp3 Red Hat 1 04-23-2006 07:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration