0

Hi I'm a web developer by trade and not a server engineer please bear with me!

I have just got a new Ubuntu LAMP VPS server, which I am trying to configure.

I understand that running php as apache-mod is the fastest way of running php. but to achieve this I have to set my directories to 777 so php can write to them. And in turn ftp can then no longer delete dirs created by php.

This does not seem ideal.

I understand that using fast-cgi the 'php user' and 'ftp user' are the same hence you do not get these issues and do not have to open directories to 777 to allow writing which I understand to be a security issue.

So what are the pros / cons of

  • fast-cgi with permission 755 vs apache mod with 777 permissions??

Thanks

EDIT

So ok 777 is not good apparently. But how do I then get apache-mod and ftp user to be the same - as mentioned I am not a server admin! thanks

user56631
  • 117
  • 1
  • 6
  • 2
    777 permissions are almost never a good idea... – Lucas Kauffman Jan 12 '12 at 18:29
  • I don't know about the specifics, but you should _never_, _ever_, _ever_, **ever** set permissions to 777. This means anybody and everybody can manipulate that directory (or file). Also, with directory permissions of 777, anyone can delete files in that directory - even if they don't have permissions to read or write the file in question. – Mei Jan 12 '12 at 18:30

2 Answers2

3

Apache with mod_php is easy to setup and runs fast - but it doesn't scale. Each request requires a full thread - which includes apache and all its modules. This is exactly what makes it fast - each request gets a dedicated instance of php. On the other hand, a very small number of simultaneous requests will consume all your available memory, and slow your server to a crawl.

If you go the mod_php route - @fuscata's answer provides a good approach - use groups to avoid having your directories and files writeable by 'other'. The other option is to simply make your FTP user the same as the user that apache runs as - although this isn't good from a security standpoint.

I'd definitely suggest the fast-cgi approach - beyond the fact that you can implement your permissions properly, it makes much better use of the available resources. Although it is a bit slower for a single request, under a higher load, the overall performance will be much better than with mod_php.

Use mod_fastcgi with php-fpm - setup your php-fpm pools with user names matching your FTP users, and use the most restrictive permissions possible - 755 is usually acceptable for directories (but you should be able to use 750) consider setting the permissions on your PHP files to 640 - 'other' doesn't really need read permissions on your files (this is especially true for files that contain database passwords, ecommerce keys, etc - although those should be set to 600 - or 400 once you have input the data).

cyberx86
  • 20,805
  • 1
  • 62
  • 81
1

If you decide to stick with mod_php, there are a few options, but here's what I suggest:

  1. Create a new user, say ftpuser with group ftpuser
  2. Make sure that user doesn't have anything sensitive in its home dir (which you could set to the DocumentRoot) e.g. .my.cnf, mail files, ssh private keys, etc.
  3. Add the Apache user (www-data) to the ftpuser group
  4. set the Apahce user's umask to 002 in /etc/apache2/envvars
  5. set the ftpuser's umask to 002 (so files will have 775 permissions by default) and/or change settings in your FTP client to achieve this.
  6. on the appropriate dirs/files: chgrp -R ftpuser, chmod -R 775, chmod -R g+s (this should cause all files/dirs created by www-data to keep the ftpuser group)
Community
  • 1
xofer
  • 3,072
  • 12
  • 19