4

we are configuring a PHP web application on CentOS and have all our files currently in /var/www/html/project/

Apache is configured to run as apache:apache and has access to the directory above. Right now our files and directories have the following rights:

owner = root group = apache

DIRECTORIES: drwxr-x--- root apache

FILES: -rw-r----- root apache

Is this a safe setup? Or is it better to use a new user e.g. "project" to be the owner of all files and directories?

solsol
  • 1,121
  • 8
  • 21
  • 31

2 Answers2

5

It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.

If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.

Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.

CarpeNoctem
  • 2,437
  • 4
  • 23
  • 32
  • So would it be more secure to set the owner to a limited account e.g. "testuser" instead of root? Can you explain to me why this would be more secure? Thanks! – solsol Feb 10 '10 at 08:04
  • 1
    yes, you'll be better off setting these ownerships to someone other than root so you don't have to update them as root (or sudo). Create a webmaster on the server to own these files. I typically give my lead programmer of a project ownership of these files and put everyone else in the group. – Patrick R Feb 10 '10 at 14:01
2

You're definitely playing it safe.

Your settings are going to keep you from being able to create additional folders in you DIRECTORIES should you need to on demand via apache.

I'd suggest that you use the following permissions:

DIRECTORIES: drwxrwx--- root apache
FILES: -rw-rw---- root apache

Add your developers to the apache group so that the can continue to write to these files should they log in via ssh or ftp.

You can have liberal file permissions if you can trust what users are running them. If you're code is solid then you can allow the apache group to do more with permissions.

Edit: In general give apache:

rwx if it needs to create folders
rw if it needs to create files
r if everything is static

In the end what it boils down to is only giving the permissions that you must. Make them as conservative as possible and open them up as you develop your application if you need to.

One little thing about groups. You'll see some examples that show this (these are correct settings, too):

DIRECTORIES: drwxrwxrw- root somegroup
FILES: -rw-rw-r-- root somegroup

These permissions are required for a web application to run because the apache user is not part of the group permissions. In that case, apache is considered everyone so you need to set permissions to allow everyone to interact with your website. An by everyone I don't mean everyone in the world (ie anonymous). I mean everyone one who is currently a user on your server (look in /etc/passwd to get a list).

Patrick R
  • 2,945
  • 1
  • 19
  • 27
  • Thanks for the tips guys. The application will be hosted on a dedicated machine, so no other users will have accounts but us to update the app when necessary. We want the server to be secure so is it a good idea to give apache Read/Write access to our files? I'm not a security expert - far from - but it sounds risky to give Apache full control over file or am I wrong? – solsol Feb 10 '10 at 08:02
  • 1
    if your application won't update any files (text,image, etc) on the server then all you'll need is read access rather than read/write. If you don't give apache read you'll get a 500 error. If apache won't be creating folders, don't give it rwx. – Patrick R Feb 10 '10 at 12:48
  • 1
    apache won't sneak any files onto your server unless it has ftp or ssh or your code let's someone upload files. If you don't allow the first two options and you code either doesn't allow someone else (through apache) to upload files or run you code in a way you hadn't planned, you'll be pretty secure. Note that I didn't say to make your files rwxrwxr--. I was talking about a directory when I listed that particular permission level. – Patrick R Feb 10 '10 at 12:53
  • thanks Patrick, we will have FTP on the server (to deploy new versions of the app) and users will be able to upload images with our application. We are checking for mime type there so that should be OK. So nobody can gain apache access otherwise and upload stuff? – solsol Feb 18 '10 at 11:38
  • Sorry for the super late reply. Apache is a user but doesn't have a password by default. Now you could go out of your way to make it so apache could log in via ftp or ssh but I imagine you haven't done that so you're probably safe. You've most definitely figured this out for now, just wanted to wrap up your open question. – Patrick R Aug 12 '10 at 03:13
  • If apache is not in somegroup, then you need to set the x bit for "others" on the directory that it needs to access AND ALL OF THE PARENTS UP TO /. – Jeff Aug 07 '17 at 17:30