2

Does it pose a security risk if I change the owner of the document root on Apache?

I've been spoiled by generic website hosting providers. I'm used to SFTPing my files over to the host and hitting refresh to make sure the changes have taken effect.

Now I've invested in cloud hosting with root access to a real (well, virtual) server. My document root is owned by the root user and right now I have to transfer the files to my home directory on the server then copy them to the document root with sudo cp. Every time I do this, I have to type my long, unrememberable, randomly-generated password (stuck to my monitor with a post-it note :)).

I'd love to sudo chown user:user /var/www/html so I can just transfer the files directly there, but I'm concerned about security.

Would it be less of a problem if I just changed the group of the directory and added my user to that group? Is the www-data group safe to use for that?

Vince
  • 143
  • 5
  • Are you logging into the server with a password or private key? – Barmar Jan 20 '16 at 15:28
  • I'm logging in to the server using a private key, but I still have to type the password when I use `sudo` – Vince Jan 20 '16 at 21:15
  • You could disable the requirement to enter a password for `sudo`. – Barmar Jan 20 '16 at 21:35
  • @Barmar I don't think I'm comfortable with that solution. I'm not worried about the security risk as much as my capacity to make mistakes. If I relax security a little bit for the document root, the most I can break is my website. If I relax security for sudo, I risk breaking the whole server. – Vince Jan 21 '16 at 01:46
  • The question says "but I'm concerned about security". If you think SSH's security is sufficient to protect your server, then do the `chown`. – Barmar Jan 21 '16 at 02:00

2 Answers2

1

If you consider SSH's login protection to be adequate to protect your server, then I think it would be reasonable to chown the document root to your userid.

There's nothing gained by using the group instead of owner, if there's just one user managing the server. If you had multiple maintainers, and you wanted all of them to be able to update documents without having to use sudo, then it would be useful to change the group, and add all the admins to that group.

Barmar
  • 364
  • 1
  • 8
1

There's a good article on setting up permissions here. Short answer: probably no real risk doing what you've suggested, just make sure to set owners, groups, and permissions properly according to that guide or other reputable information. Sometimes this will be 755, sometimes 775, sometimes 700, sometimes others.

Community
  • 1
Tim
  • 31,888
  • 7
  • 52
  • 78