0

I've read through a lot of articles about correct/secure (1) ownership and (2) access permissions for directories and files in a web accessible directory served by apache (e.g. /var/www/). Either I'm easily confused or there's a lot of confused/contradictory advice around.

Common CMS's such as drupal, wordpress, etc. typically recommend 755 for directories, 644 for files. However the recommendation to give group ownership to the apache process of all contents in the web root (i.e. chown -R :www-data /var/www/) is also made.

(1) First question: let's say group ownership of directories and files in /var/www/* belongs to www-data and, as usual, the apache process user www-data is the only member of this group. Meanwhile user ownership of directories and files in /var/www/* belongs to an ordinary user on the linux system who belongs to the sudo group (e.g. somesudouser). This gives us something like: 

    ----------  1 somesudouser www-data   3012 Jan 10 13:46 some-file.php
    d--------- 16 somesudouser www-data  12288 Jan 10 13:25 some-directory/

Given the above ownership structure, surely access permission for "other" could be set to 0; e.g. 750 for directories, 740 for files and this would not prevent apache correctly serving these files in response to a browser request: 

    -rwxr-----  1 somesudouser www-data   3012 Jan 10 13:46 some-file.php
    drwxr-x--- 16 somesudouser www-data  12288 Jan 10 13:25 some-directory/

What is wrong with this? I see no point in setting the "other" permission to anything apart from 0 (instead of the often recommended 5 for directories and 4 for files), and I see no reason why files should not have user ownership set to 7 (instead of the often recommended 6). What am I missing?

(2) Second question: when group ownership of directories and files in the web root belongs to a group that does not include the apache process (e.g. somesudouser:somesudouser), the apache process can interact with directories and files in the web root only if "other" access permission allow it. In terms of security, does either of the following have any real advantage/disadvantage: 

    -rwx---r--  1 somesudouser somesudouser   3012 Jan 10 13:46 some-file.php
    drwx---r-x 16 somesudouser somesudouser  12288 Jan 10 13:25 some-directory/

Or: 

    -rwxr-----  1 somesudouser www-data   3012 Jan 10 13:46 some-file.php
    drwxr-x--- 16 somesudouser www-data  12288 Jan 10 13:25 some-directory/

Or even: 

    -r--------  1 www-data www-data   3012 Jan 10 13:46 some-file.php
    dr-x------ 16 www-data www-data  12288 Jan 10 13:25 some-directory/

(3) And finally a question about w permissions. Let's say the apache process has group ownership of a file and this group has an access permission of 7: 

    ----rwx---  1 somesudouser www-data   3012 Jan 10 13:46 some-file.php

Why is this a problem? Can a malicious person hijack the apache user, edit some-file.php, and thus run malicious php on the linux system? How would this be done?

And what about if a directory has those same permission: 

    d---rwx--- 16 somesudouser www-data  12288 Jan 10 13:25 some-directory/

Can a malicious person cause the apache process to write new files to this directory? Again, how would this be done?

Thanks.

Improve this question

1 Answer 1

Reset to default
0

(1) First question: ... as usual, the apache process user www-data is the only member of this group ... What is wrong with this? I see no point in setting the "other" permission to anything apart from 0 (instead of the often recommended 5 for directories and 4 for files)

Firstly adding yourself as a system administrator/developer as a member of the www-data group is a perfectly good and valid idea as it would allow you to work with files and folders created by the webserver.
If your webserver document root permissions were setup like this, with setgid bit on directories you could work with files and folders created by the webserver and, because you have shared group ownership (and assuming umask of 002) the webserver could function properly with full access to files and folders that were created by you, ftp'ed, created etc.
In this case you would be right, setting the others bit to 0 would be sensible as the other UNIX accounts should not have any access to the document root.
I suspect your CMS docs suggest allowing other to have at least read is because most non-professional admins won't be knowledgeable enough to setup setgid etc and so in the case of www-data owned files, you will be other - this will at least allow you to read the files and vice versa with the server regarding your files.

(2) Second question: when group ownership of directories and files in the web root belongs to a group that does not include the apache process

It can depend on what the directory is used for, and whether the webserver needs write access to it to function. Generally you should give the webserver only enough permissions that it needs to function, but if the webserver does need permission, ideally it should be assigned though the ownership or group roles. If you give the world read /write access just so your webserver can read/write you are allowing others UNIX user accounts the same liberty. e.g. those other "neighbours" on a shared system that shouldn't be able to access your files , but occassionally can when the sysadmins slip up, and yes ive seen this happen.

(3) And finally a question about w permissions. Let's say the apache process has group ownership of a file and this group has an access permission of 7:

well yes, that pretty much going to be the main source of your problems, youve got a webserver connected to the internet - that will be constantly subjected to abuses, bad people trying to hijack the webserver into doing what they want - which may involve file manipulations within the document root and the website, e.g.

  • indexing/exploring directories
  • writing/defacing files - when the webserver needs only to read those files to function

Note, as a general security issue file system abuse via the webserver can spread into the rest of the operating system , e.g. reading passwords etc. So additionally you have permissions issues about the webserver viewing sensitive system information, passwords, logs etc outside the document root.
In regard to the document root permissions, what does a well configured permissions look like? I would recommend

and also reading

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.