0

I have a php script which run a private social network. It's running on a Ubuntu 16.04.03 with an mariadb and apache 2 and php7 config.

I have created a new folder in /var/www/myscript and copied all files in this folder.

My question is now, what permissions are necessary to make the config safe. Is it safe to set all files to 640 and all folders to 750 and owner and user to www-data?

I found this tutorial, http://fideloper.com/user-group-permissions-chmod-apache The permissions looks different, are these permissions good, too?

It would be great if someone can help me. Thank you very much. Best regards

Phatair
  • 1
  • 1
  • 3
  • We typically don’t review other manuals and how to’s but take a look at this canonical Q&A https://serverfault.com/q/357108/37681 – HBruijn Feb 04 '18 at 22:26

3 Answers3

2

It very much depends on your CMS.

I actually really do not like 99% of the CMS available out there. All their PHP files go in the public Apache tree which means clients have access to them. That's not safe. These should be in a place where the client cannot access them. That being said, the index.php needs to be public (obviously?) and a few other files, depending on your CMS. Everything else could be in a folder that Apache does not give access to the client. Then the permissions become much less problematic.

Say you have a folder named public_html where Apache as access, you could have a structure that looks like this:

/var/www/example.com
/var/www/example.com/php  -- put your PHP scripts here
/var/www/example.com/data  -- whatever data files (XML, templates, non-public)
/var/www/example.com/public_html  -- only folder accessible by Apache
/var/www/example.com/public_html/index.php  -- the PHP that handles the CMS

Now... The ownership, unless you use a CMS like WordPress which wants to auto-update itself, the files need to be writable by the Apache2 user (www-data for Ubuntu). In all other cases, you should set the user and group to a different user than www-data and make sure that Apache does NOT have permission to modify those files. Make sure it can read them (maybe other has the 'r' for files (644) and 'r-x' for directories (755).)

Say you use rsync to do your updates and give rsync permission to write files as user www. Now you could make all those files be owned by www and not www-data and the update will work just fine.

Obviously, if you have an upload feature which saves files to your web server, then that directory needs to be writable by www-data. Also those files should be backed up (like your database) since they are accessible (read as: hackable) by clients. Since you have an intranet, it may be less of a concern, although most large businesses report that most of their data losses are because of staff working there and not hackers from the outside. Something to keep in mind.

Something like this work work for such files:

mkdir /var/www/example.com/public_html/download
chown www-data:www-data /var/www/example.com/public_html/download
chmod 775 /var/www/example.com/public_html/download

The path to those files can be different as the CMS sees fit, although the actual files could be in one large directory (it is fast whatever the number of files).

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
0

If you don't really need, do not set write permission to any file or folder. typically you set write permission only for a tmp folders or configuration files which are need to be written by app itself. although it is not really mistake to have write permission on any of your files or folders, you should always consider that the app you are running on it could have a security hole and then attacker is free to save custom scripts anywhere he wants, write your configs, etc.

patok
  • 692
  • 1
  • 5
  • 15
0

Thank you very much for your help.

If i understand all the tips correctly i should do the following:

the owner of /var/www/mysite and all files and subfolders should not www-data (is it ok to set to root?) The group of /var/www/mysite and all files and subfolders should be www-data

All files should be 644 or better 640 and directorys 755 or 750? If user upload files from the website i have a folder /var/www/mysite/uploads and on this folder i will set the www-data as owner and group and set the permission to 775.

At the moment my folder looks like this:

/var/www/mysite -> root:www-data (for all files and folders) files have 640 permissions folders have 750 permissions

Is this a config that looks ok and secure or should i change the user from root to the user that i'm using for maintaining the server?

thank you again for your help.

Phatair
  • 1
  • 1
  • 3