Who should own Public_HTML?
/srv/www/domain.com/public_html
My question is what should the group and user be set to on public_html? By default it was root and root post installation but recently I set it to my standard user account out of lazyness to create and edit files in there, is this safe to do?
It still serves the pages ok but I wasn't sure if www-data was supposed to be in charge or what? Any advice or tips much appreciated!
11 Replies
1) You're using Suexec which requires the owner and executor are the same
2) Your web server needs to write files it tends to be wise to set the owner to www-data if you want to update wordpress for example
3) You're running a multi user environment, then the group sgid bit comes in handy
I tend to keep ownership to the user I sftp in as. But I don't run wordpress, suexec and work in a single user environment
So would it be practical to set www-data to group and owner and then add my standard user to www-data group or is that frowned up then?
chgrp -R serverwritable /path/to/files; chmod -R g+w /path/to/files; find /path/to/files -t d -exec chmod g+s {} \;
which sets the group, gives the group write permissions and sets the gid on execution of folders so new files should have group write perms
> I'd create a group say called "sitewritable" and add the web server and my user to that group then
Why do this when there is already something in place.
In ubuntu/debain it is:
group: www-data
user: www-data
Just do this:
sudo chown -R www-data /var/www/
@reaktor:
Just do this:
sudo chown -R www-data /var/www/
Don't do that.
If an exploit is discovered in a script you run then it could possibly be used to delete/overwrite every file and directory on the site.
www-data ownership should be assigned only under specific and controlled circumstances.
For most files and directories, assigned ownership to the shell user who maintains them.
Who should own the public_html/ ??? I have it with root…
I run everything through modsuxec. This way all PHP, CGI, etc process are run as the user that owns the virtual host. I also give publichtml ownership to that particular user. All this eliminates the need to give o+w permission when a web site needs to write to a file, and adds a mediocre level of security by making sure no website actually runs as the Apache user.
@fernandoch:
Still not clear for me
:( Who should own the public_html/ ??? I have it with root…
If you administer the content in publichtml, and you login to system as 'fernandoch', then the publichtml directory and its content should be owned by user 'fernandoch'.
If a directory needs to be writeable by the webserver (e.g. for web-based uploads) then you have a choice of either: (a) changing permissions or ownership on the uploads directory to make it writeable; or (b) use suexec as saman007uk says, so that the upload script runs as user 'fernandoch' and has permission to write to the uploads directory, which is owned by user 'fernandoch'.
And for sure not root?
@fernandoch:
And for sure not root?
Yes.
@fernandoch:So it should not be the same user as apache's user? Depending on your setup. Basically the permissions need to be setup such that the Apache user can read any static data that you want available online.
# or B. More secure (recommended). Allow writting only in places Joomla! needs to write to (more secure)
sudo chown -R root:root /var/www/joomla
cd /var/www/joomla
PLACES='
administrator/backups
administrator/components
administrator/modules
administrator/templates
cache
components
images
images/banners
images/stories
language
mambots
mambots/content
mambots/editors
mambots/editors-xtd
mambots/search
media
modules
templates
'
for i in $PLACES; do
sudo chown -R www-data:www-data $i
done
Taken from here