1

Created a non-root account so the user can login and upload files to the public directory (which works) except there's difficulty when adding a CMS.. constant write permissions (when maintaining the site via the CMS).

Ie. The logs experience write permissions.

  • Default is set to rwxr-sr-x (2755) [group = apache] [owner = user]
  • add user to group Apache - still has issues.

is there a way I can alter the permissions so when they further change things and add new files, they don't encounter these issues?

For the time being, I hand modified the affected files to 0775 and seems to work. Ideally, I'd like to set the default permissions so they won't need the folders manually changed.

necrodeus
  • 11
  • 2
  • I still [prefer ACLs](http://serverfault.com/a/484819/126632) for this. – Michael Hampton Feb 22 '17 at 02:38
  • I set an ACL initially, but I must've not gotten it spot on to account for CMS. Going to try what you linked, thanks! (side note, from the thread: "Note that if some directories need to be writable by the web server, you can set those up on a case by case basis" - this is what I'm aiming to avoid; the 'case by case basis'.. if there's any way around that, please let me know! – necrodeus Feb 22 '17 at 03:03
  • You could make everything writable, but that's a potential security problem. At that point you could just chmod 777 everything, delete everyone's passwords, and roll out the red carpet for the hackers. What really needs to be writable really is a case by case thing. It depends on what your web application does. – Michael Hampton Feb 22 '17 at 03:08
  • Cache, logs, etc. What I mean by avoidance of the 'case by case' is - what do small shared hosts do? Surely those with thousands of customers aren't manually changing permission on individual folders. (And no, definitely do not want to do any 777 stuff.) – necrodeus Feb 22 '17 at 03:12
  • They make everything writable per-user. So they have to do a lot more work to get anywhere near "secure"... – Michael Hampton Feb 22 '17 at 03:13
  • Can you elaborate a bit? I did make my www folder writable to this non-root user and they still experienced issues, until I set it to 775, which seems a bit high.. surely I'm doing something incorrectly? – necrodeus Feb 22 '17 at 03:15
  • If you really want to know what they do, that's one thing. But you really, really do not want to model your server after a shared web hosting environment. They usually cause Apache to switch user to each user with something called suPHP, on each request. And each user's files are of course writable to himself. This is convenient for the user but is still not very secure. One out of date web app and that user is completely screwed. And if the host isn't on top of their game, so are they... And of course you can't have multiple users working on a single site. – Michael Hampton Feb 22 '17 at 03:18

0 Answers0