Ubuntu – Change www directory mode only from web application

Apache2cgipermissionsserver

I am using Apache web server in ubuntu, Linux. I am writing Web Application using CGI. There are the paths of my works.

WWW Dir -> /var/myproj/www/
Data Dir -> /var/myproj/data/
App Dir -> /usr/lib/cgi-bin/

Proj Dir -> /home/$USER/myproj/www/

Sometimes I will copy a file from Data Dir to WWW Dir through my CGI application. I will read, write and update data located in Data Dir from my CGI Application.
My query is, I should read and write files located in WWW Dir and Data Dir only by CGI Application. Even an any of local user shouldn't read and write those file located in Data and WWW directories.

But I use grunt application to update my WWW Directory from my Proj Directory. Only My CGI application and Grunt Application can update the WWW and Data Directories.

To do this, What Ownership and access mode should I give?

Best Answer

Use a dedicated user and group.

You can make "data" be owned by the "CGI app user" and set it to "700" for directories and "600" for files. Nobody other than the admin and that user will be able to even enter the directory. Nor can they read the files.

For grunt: you could add that user to the same group as your "CGI app user".

For writing into the "www" directory add those 2 users to the group that owns "www".

I must warn you that what you wish to do is very risky and I don't suggest you to do it so.

But if you yet wish to do it AT YOUR OWN RISK:

You can change your default folder for www content by editing the information provided inside the /etc/apache2/sites-available/default file. By dropping sudo gedit /etc/apache2/sites-available/default and changing any occurrence of the /var/www and setting the folder that you wish to use.

The contents of the file will look like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /home/geppettvs/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /home/geppettvs/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

In this case I am using my /home/geppettvs/www folder in order to place the files that will be exposed to the public via http connections (port 80).

Give this a try. I hope this help you.

Please note that you may experience some issues when attempting to do certain things in some files or folders from the root directory if you don't give them the proper permissions but that's worth another question.

Good luck!

Best Answer

Related Solutions

Apache Configuration – Redirect Apache /var/www to Home Directory

I must warn you that what you wish to do is very risky and I don't suggest you to do it so.

Related Question