2

I have a simple question, however, I am struggling to understand how to do this in a secure manner,

I have a PHP-based web application that runs on Linux (Centos7), I have "user" access with Sudo privilege on the Linux server.

The web server (Apache) runs as an "apache" user with an "apache" group,

The problem is when I try to deploy applications using WinSCP, I get permission denied errors, the ONLY way I can solve this problem is to do a

usermod -g apache myusername
chmod 775 /var/www/html

I don't want to give 775 to the entire web folder, I think it's a big security issue, What is the most secure way to archive this type of task?

How can I deploy my app using Winscp with my user account but AS apache user? or any other suggestions on common industry practice that is considered safe?

mahen3d
  • 4,342
  • 14
  • 36
  • 57

1 Answers1

1

There are multiple recommended ways to solve this issue.

  1. Add write access on /var/www/html to the user who logins through WinSCP/SFTP. This can be done in multiple ways.
    • Changing the group to the running user (and grant write access) 
      sudo chgrp <user> /var/www/html
sudo chmod g+w -R /var/www/html
      Note: This works because there is always a unix group created for users.
    • Creating a new unix group containing both apache and the user (and grant write access) 
      sudo groupadd <groupname>
sudo chgrp <groupname> /var/www/html
sudo chmod g+w -R /var/www/html
  2. Run the apache service as the user login in through WinSCP/SFTP. (link)
  3. Move apache document root from /var/www/html (Simply by creating a symlink from /var/www/html to a directory owned by deployment user or by updating the apache configuration)
Sreeraj Karichery
  • 156
  • 6
  • I use method 1 in this scenario which works well. – Falstone Aug 10 '21 at 08:23
  • @sreeraj can you explain this no:1 options bit more with screenshots on how to change to the running group? – mahen3d Aug 11 '21 at 22:55
  • @mahen3d Added more details are you mentioned. – Sreeraj Karichery Aug 13 '21 at 04:06
  • I will add this as a comment rather than a separate answer, because I think Sreeraj deserves the bounty for his quite full answer. You have raised concerns about security. So building on bullet 1 of the answer you could reverse the ownership to give you a little more security. Assuming your WinSCP user is called 'fred' First: chown -R fred:apache /var/www/html Then: chmod 750 /var/www/html That limits the apache user's permissions. There might be the odd file in the directory that apache needs to write to, but that could have its permissions set on an individual file basis. – Falstone Aug 13 '21 at 13:19