Yes setting the group write bit is fine, though you'll need a way of ensuring new files created in there get the permissions you want. No, do not ever use www-data to log in as, or add any user to the www-data group, or give www-data any additional permissions beyond necessary. It's an unprivileged account.
Some other answers are recommending bad security practices — thomasrutter. If you change the directory with a setgid bit, these problems should be history. Give it a try. First enter the user to the appropriate group. It should work and look something like this please make sure you see the "s" when using ls See here e. When I try to create a directory it says: permission denied. How can I understand it and in case assign it? I added the info for you — s1mmel. I tried, but something doesn't seem to work yet.
But it still does not work, if I connect in sftp with FileZilla and user1, I do not have permission to create files and folders. In the end I still can not disable the root user, because I need to manage the files of my sites. I do it to increase security, I don't want to risk decreasing it even more. I think rather calmly and with time to change the structure of files in my Sites, creating folders for sitemap files and images to be assigned to the user www-data, everything else to user1, but it will take some time unfortunately Show 3 more comments.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. We use 'go', meaning apply to 'group' and 'other'. We use '-', which means remove permissions.
We use 'rwx' to remove read, write and execute permissions. This is not done recursively. Next, change all directories and files in the web root to the same group www-data - just in case there are files in there currently:.
Next, let's do another "reset" of sorts - Make it so only the user can access web content:. I actually give group write permissions as well, for users which need to modify content, such as users used to deploy code. This is useful if you have secret data in your configuration files.
Be careful about your umask! If you create a new file here, the permission values will probably default to You can run umask so that new files default to rw- r-- If more than one user is responsible for maintaining the site, you will need to create a group to use for assigning permissions. It's good practice to create a separate group for each website, and name the group after that website. In the previous example, we used the group owner to give privileges to Apache, but now that is used for the developers group.
Since the user owner isn't useful to us any more, setting it to root is a simple way to ensure that no privileges are leaked. Apache still needs access, so we give read access to the rest of the world.
If you have folders that need to be writable by Apache, you can make Apache either the user owner or the group owner. Either way, it will have all the access it needs. Personally, I prefer to make it the user owner so that the developers can still browse and modify the contents of upload folders. Although this is a common approach, there is a downside. Since every other user on the system has the same privileges to your website as Apache does, it's easy for other users to browse your site and read files that may contain secret data, such as your configuration files.
This can be futher improved upon. It's perfectly legal for the owner to have less privileges than the group, so instead of wasting the user owner by assigning it to root, we can make Apache the user owner on the directories and files in your website. This is a reversal of the single maintainer scenario, but it works equally well.
If you have folders that need to be writable by Apache, you can just modify the permission values for the user owner so that www-data has write access. One thing to be careful about with this solution is that the user owner of new files will match the creator instead of being set to www-data.
So any new files you create won't be readable by Apache until you chown them. I mentioned earlier that it's actually possible for other users to snoop around your website no matter what kind of privileges you're using. By default, all Apache processes run as the same www-data user, so any Apache process can read files from all other websites configured on the same server, and sometimes even make changes. Any user who can get Apache to run a script can gain the same access that Apache itself has.
To combat this problem, there are various approaches to privilege separation in Apache. However, each approach comes with various performance and security drawbacks. In my opinion, any site with higher security requirements should be run on a dedicated server instead of using VirtualHosts on a shared server. I didn't mention it before, but it's usually a bad practice to have developers editing the website directly.
For larger sites, you're much better off having some kind of release system that updates the webserver from the contents of a version control system. The single maintainer approach is probably ideal, but instead of a person you have automated software. If your website allows uploads that don't need to be served out, those uploads should be stored somewhere outside the web root.
Otherwise, you might find that people are downloading files that were intended to be secret. For example, if you allow students to submit assignments, they should be saved into a directory that isn't served by Apache.
This is also a good approach for configuration files that contain secrets. For a website with more complex requirements, you may want to look into the use of Access Control Lists. These enable much more sophisticated control of privileges. If your website has complex requirements, you may want to write a script that sets up all of the permissions.
Test it thoroughly, then keep it safe. It could be worth its weight in gold if you ever find yourself needing to rebuild your website for some reason. This is a recap, but in this situation, bob is allowed to SSH. If there shouldn't be any user allowed to modify the website eg. Note : people tend to forget that limiting the u owner rights is most of the time useless and insecure, since the owner of a file can run the chmod command, even the rights are Maybe setuid on the directory can solve the problem.
Given the google rank on the above excellent answer, I think there is one thing that should be noted, and I can't seem to leave a note after the answer. Continuing with the example, if you plan on using www-data as owner and dev-fabrikam as group with permissions on the directory or file , it is important to note that Linux ignores setuid , so all new files will be owned by the user that created them. This means that after creating new directories and files you will have to use something similar to:.
In Ubuntu Was losing hairs at an increasing rate over that seemingly simple issue Deny AllowOverride and Index in uploads directory, so that Apache doesn't read. Also you can control the maximum file size, the maximum post size and the maximum files to upload in the same request.
When you have a FTP user called "leo" need to upload files to example. This command assigns leo as owner and group as apache to example. Here first number 2 is for directory and insures each new file created will be remain in same group and owner permissions.
Do you chroot your PHP process? What is you don't, do you want it does crawls through all filesystem? Thus, if the web app process would be bogus it would just read specific files which would have group read, and it would be able to write to upload dir only. I would strongly recommend to have that upload dir on a filesystem with noexec,nodev,nosuid mount options and have constant monitoring for any new bizzare files in that directory, plus also monitor any new processes under test-www uid.
On Linux one could use ACL to better tune permissions. If more than one human should be to upload web data, it would be better to split human account from the account used to upload web data files, ie. I really doubt most webhosting services care about privileges separation, when they write 'secure' without any info what you get, I would say they lie.
Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more.
0コメント