2

The httpd process runs with apache user/group credential, while /var/www/html folder is owned by root user/group.

What's the best practice to manage permissions on public html folder? Leave them as owned by root or assign each file and folder to the apache user?

gremo
  • 339
  • 1
  • 4
  • 20

2 Answers2

3

Leave them owned as root until some other user needs write access to the folders. The apache user should not own anything at all unless it is strictly necessary, as it can make security vulnerabilities worse. As an example, if somehow an attacker was able to figure out a way to get apache to be able to create files somewhere on your machine, if apache can create new files in /var/www/html, the attacker can make a new .php file which does whatever he wants using the apache credentials by hitting this php page with his web browser.

stew
  • 9,388
  • 1
  • 30
  • 43
  • That's fine. What if the user (using the browser) should write some files in /var/www/uploads for example? Should i grant write privileges to apache user to that folder, am i right? – gremo Dec 14 '11 at 20:16
  • yes, but just this directory, and then you might limit what apache is willing to serve from this directory if possible. You certainly wouldn't want the situation I'm talking about above, where an untrusted user uploads a php file which gets run by your server, or an html page that will run malicious javascript in some other user's browser – stew Dec 14 '11 at 20:20
  • Ok, thanks, i will accept the answer. Can point me to a good (yet very simple) book about permission architecture regarding apache/mysql and linux in general? I need to learn, thanks – gremo Dec 14 '11 at 20:23
1

There is no canonical way to manage this setup. However, I take the view that root access should only be used when abosoutely required.

Due to this, I set the /var/www/html directory to a normal user, e.g. webmaster. This way routine access for web related files does not require root access.

Directories requiring write access by apache will either need world write permissions, be owned by apache, or setup group access.

There is a good review of using using sticky groups here: https://stackoverflow.com/questions/2560762/php-mkdir-and-apache-ownership

Community
  • 1
jeffatrackaid
  • 4,142
  • 19
  • 22
  • I agree with everything except granting "world write permissions"—that means anyone able to log into (or breach) the system will be able to write to that directory, which is dangerous. I think definitely those directories need to be owned by apache via user or group, or some other scheme must be used, _e.g._ http://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver. – Andrew Cheong Apr 30 '14 at 02:18
  • In practice, the issue you raise is far less of a concern than a compromised web application. The likelihood of someone logging into via another means and writing a file to that directory is very low compared to the likelihood that your web application will have an exploit that writes to the directory anyway. – jeffatrackaid May 01 '14 at 17:59