LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-12-2021, 06:45 PM   #1
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 20.04
Posts: 1,928

Rep: Reputation: 70
Who should be the owner of files in /var/www/ me, as the only user on the server, or www-data?


Setting up a Ubuntu 20.04 Server on a cloud server.

From this site I am told

Code:
sudo mkdir -p /var/www/example.com/public_html
sudo chown -R $USER:$USER /var/www/example.com/public_html
sudo chmod -R 755 /var/www/example.com/public_html
sudo chmod -R 755 /var/www/example.com/public_html
sudo find /var/www/example.com/public_html -type d -exec chmod g+s {} \;
Another "set up a virtual server" site told me I should make www-data the owner of all files.

What would you recommend?(I have never had a cloud server before)

At home, on my laptop, I sometimes get "permission denied" error in apache error.log, so then I run the following, which were recommended to me here on LQ:

Code:
sudo chown -R pedro /var/www/html
sudo chgrp -R www-data /var/www/html/
sudo chmod -R 770 /var/www/html/
sudo chmod g+s /var/www/html/
 
Old 10-13-2021, 03:45 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 17,934
Blog Entries: 11

Rep: Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409Reputation: 5409
Careful with "chmod -R". I would go with the minimum permissions required. Often files don't even need to be executed, only directories. See e.g. this answer.
Let's be very clear: "chmod -R 755" is definitely WRONG in this case, and 770 is just as bad!

This is one of the things that are different when you run your own server, as opposed to shared hosting.
Your server software (apache2) runs as a particular user. Your www/html files should be owned by that user (usually www-data, likely more restricted than pedro) and have minimum permissions required. Probably just 600 for regular files, and 700 for directories. This will require some changes on how you write/copy/edit files in there.

Last edited by ondoho; 10-13-2021 at 04:11 AM.
 
Old 10-13-2021, 03:55 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,854
Blog Entries: 3

Rep: Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040
Quote:
Originally Posted by Pedroski View Post
... so then I run the following, which were recommended to me here on LQ:
Ouch. The wrong permissions are commonly found on the net, even on some posts here on LQ.

The only requirement for serving pages, at least static pages, is for Apache's process to be able to read the files.

For making web pages the authors need write access, something which is done using groups. See my third blog post for details of sharing write access with EXT file systems. However, if it is just you and no one else then these settings should fix the site:

Code:
sudo find /var/www/html/ -type d -exec chmod u=rwx,g=rwx,o=rx {} \;
sudo find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r {} \;

sudo chown -R pedro:pedro /var/www/html/
However, which CMS are you using? Some of the more common ones require allowing write access in certain places.

Or have you taken a more modern approach and used a static site generator or gone hard core and make static pages with your own templates?

At the end of the day you are aiming to achieve something similar to Write XOR eXecute (W^X) separation, though in this case the execute part means publishing publicly. In other words, a process or account can either write to a file or directory or else be able to publish it, but not both. The ideas there are privilege separation and, for the separate activities, least privilege.
 
Old 10-13-2021, 05:13 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722Reputation: 5722
Quote:
Who should be the owner of files in /var/www/ me, as the only user on the server, or www-data?
That is just wrong. You are probably the only [real] human being, but not the only user on that server. The goal is to run different services with different users. For example the user www-data is used to "own" data related to www (web server). That's why the home dir of the user www-data is /var/www (usually). Other services - for example: mail, printer, syslog, pulse, gdm ... [Obviously it is just an simplified example).
That makes the system more stable and less vulnerable.
If you are unsure use these recommendation. If you want to do it differently you have to know why [is it better than that default].
 
Old 10-13-2021, 06:40 PM   #5
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 20.04
Posts: 1,928

Original Poster
Rep: Reputation: 70
Thanks for the replies!

I have a GoDaddy shared hosting. I was very happy with GoDaddy. Everything worked!

It will expire soon. I don't use it anymore, it is too slow in China, from beyond "The Great Firewall".
If I use a video, the students complain, they can't load it.

I checked GoDaddy yesterday.

public_html has 750
All sub-folders have 755
All files have 644

So that's what I thought I would try.

@Turbocapitalist
I don't have a CMS. I don't know what I could use. My boss won't pay me $25 a month for Plesk!

Like I mentioned, I first try all webpages on this laptop. When everything works, I upload the webpage, sound files, php files.

Usually everything just works then.

Sometimes I get a blank screen. That's usually due to PHP. Look in apache error.log, correct it.

This was an answer I found to "which permissions":

Quote:
# from https://serverfault.com/questions/35...inux-webserver

Maintained by a single user

If only one user is responsible for maintaining the site, set them as the user owner on the website directory and give the user full rwx permissions.
Apache still needs access so that it can serve the files, so set www-data as the group owner and give the group r-x permissions.

In your case, Eve, whose username might be eve, is the only user who maintains contoso.com :

chown -R eve contoso.com/
chgrp -R www-data contoso.com/
chmod -R 750 contoso.com/
chmod g+s contoso.com/
For setting file permissions the above webpage has (well, I put -v in, to see what is happening):

Quote:
find /var/www/html/19BE1cw/ -type f -print0 | xargs -0 chmod -v 644
Still haven't got the ICP permission, so the webpage on the cloud server is not available yet! Hopefully today!

If you guys have any more tips, I will be very glad to hear them!
 
Old 10-13-2021, 11:34 PM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,854
Blog Entries: 3

Rep: Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040Reputation: 3040
Ok, for the permissions, it is important to understand the settings you have made. For things to work with Apache2, it needs read permission and you yourself need write permission and nothing else matters. So with public_html having 750, with your account as the owner and www-data as the group, you have read/write permission and the web daemon has read permission. All other accounts are blocked from even passing through the directory. Then it is the same for the files and subdirectories except that, if other account could have passed through public_html, which they can't with 750, then they could have read permission. So if you are still fuzzy on the permissions, work through the guide link or try some experiments with a subdirectory there.

Quote:
Originally Posted by Pedroski View Post
I don't have a CMS. I don't know what I could use. My boss won't pay me $25 a month for Plesk!

Like I mentioned, I first try all webpages on this laptop. When everything works, I upload the webpage, sound files, php files.
Plesk would be unnecessary. You have more flexibility and options with SSH with SFTP.

A content management system (CMS) is software which manages the web site's pages, including layout and content. They can get very heavy and complex, like WordPress, Joomla, and Drupal, or be lean like Pelican or Hugo. If you're fine with writing your own pages then that's even better. Stay with that method, it is superior for small sites. Though I am still curious as to why PHP is involved there.
 
Old 10-14-2021, 12:59 AM   #7
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 20.04
Posts: 1,928

Original Poster
Rep: Reputation: 70
@Turbocapitalist

Thanks for your reply!

During this virus crisis, the college remained closed and we were told to do classes online.

I use a textbook called Career Express Business English 3. Normally, we finish 1 unit in 2 class periods.

So I just extract the pages I need from a PDF with a little Python program, ocr that with LIOS.

Then I take the text and make it into html using Python and my own module guiHTML. Mostly just "listen and fill in the gaps" or radio buttons.

My webpages are all just html forms. When the student clicks "send my answers", PHP collects the answers, marks them and writes them to MySQL.

For homework, there is no login, just send before Friday 8pm each week.

But for online class, I have to keep a record of who attends and the time, so I use a PDO login system.

If a student comes late, he or she will be marked absent. All PHP + MySQL.

Also, students can see their score and see the correct answers at the end of each week. PHP + MySQL!

All PHP + MySQL, a very handy combination, although, PHP is a bit more tricky than Python.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
change of owner and group owner of a file belongs to diff user ? somorg Linux - Newbie 3 06-14-2015 09:11 AM
change of owner and group owner of a file belongs to diff user ? somorg Linux - Security 2 06-13-2015 02:33 AM
change of owner and group owner of a file belongs to diff user ? somorg Linux - General 2 06-12-2015 10:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration