Debian – Is giving all permissions to www-data group a good idea

apache-httpddebianpermissionsSecurity

I constantly have problems with read & write & execute permissions by Apache/me. There is a user "konrad" (it's me) in "konrad" group, and there is a user "www-data" in "www-data" group used by Apache. When I ("konrad") create a directory, then Apache have no rights to write to this folder which causes problems.

So now I have the following "idea": I will add myself ("konrad" user) to the "www-data" group (where also Apache's user belongs) and then I chown all my www projects, so that they will belong to user "konrad" but group: "www-data". And I will chmod the projects so that this group will have all permissions to files and directories (I think that would be 770).

Then I will change my primary group from "konrad" to "www-data", so everytime I'll create a new directory/file Apache will also have a full access to it.

The question is: is this a good idea? I don't have a great experience with permissions or even Unix itself. So maybe I'm missing something. But it seems reasonable to me.

Best Answer

Apache runs as a non-privileged user known as www-data in Debian distros for quite a very good reason: security.

It is considered a good security practice when dealing with daemons giving up privilege rights, avoiding as much as possible to create configuration files or data files with the ownership of the non-privileged user that runs the daemon - as such, if the Apache user is compromised, the attackers will have a much more hard time to mess around things or deface a site.

As possible, I recommend to create sites with different users, and to give read rights to the www-data group only; and to have only write access to www-data in directories that really need them. However even this can be avoided using mod-ruid2.

mod-ruid2 allows actually to run each site/vhost with their owner, and dealing with the security model of pages is much easier. It takes out the necessity of creating world writable directories. It also guarantees that in case of a compromise of one vhost, the attacker is not able to plant malware in the other vhosts.

mod-ruid2 is also advised for people with a hosting model, and we use it here to run a few hundreds sites, with quite success.

Unfortunately, the documentation about mod-ruid2 is a bit scant, and I had to write a more elaborate post to describe it here in Unix and Linux.

Related Solutions

Ubuntu – How to configure permissions to allow gedit, apache, and an IDE play together

What I recommend doing has been mostly described in this Ask Ubuntu question.

For this particular case I would install suPHP which in short allows you to execute PHP scripts as your user under Apache.

By doing the following:

sudo chown -R youruser:youruser /var/www
find /var/www/ -type d -exec chmod 0755 {} \;
find /var/www/ -type f -exec chmod 0644 {} \;

Install suphp-common and libapache2-mod-suphp from this ppa (What are PPAs and how do I use them?)

Disable mod_php5 and enable mod_suphp

sudo a2enmod suphp
sudo a2dismod php5

Update your virtual hosts to include this line at the bottom of them:

suPHP_UserGroup youruser youruser

Replacing youruser with the user you use to edit files on the server. Restart Apache.

From this point forward Apache will execute all php scripts are your user, which means they can be owned by your user/group and there is no need to use crazy permissions like 777. Since everything is run as your user all files created by the php scripts will be owned by your user as well! There are many other cool things you can do with suPHP; however, from what it sounds like this is all you'll need to get started.

Apache2 permissions issue

You would have been better off with the www directory at /var/www, with owner www-data and group www-data, and adding your user to the www-data group.

First, change the DocumentRoot etc back to /var/www in the apache config.

The /var/www directory (and all subdirectories in it) should be setgid, so that files and dirs are created with group www-data.

All of the following should be run as root, or with sudo:

mkdir -p /var/www

if there were any files in /home/user/www that you want to keep, move them to /var/www now with:

mv /home/user/www/* /var/www/

Now fix the permissions and ownership of the /var/www directory.

chown -R www-data:www-data /var/www
chmod -R 775 /var/www
find /var/www -type d -print0 | xargs -0r chmod g+s
adduser user www-data

The next time 'user' logins in (or runs newgrp www-data), they should have write permission in /var/www

BTW, if you want to make it easy for 'user' to find the web files, just make a symlink in their home directory:

 ln -s /var/www/ /home/user/

Best Answer

Related Solutions

Ubuntu – How to configure permissions to allow gedit, apache, and an IDE play together

Apache2 permissions issue

Related Question