2

I've just setup a new Droplet over at DigitalOcean before the weekend and have been configuring to my needs. I've been following this previously asked question multiple owner of same folder.

I also found another Q/A on this same forum this weekend talking about security implications and how to properly secure the www folder to minimise any potential risks.

  • What I've done so far is created a new group webmasters, where I've added myself, any other people that need access and the www-data user.

  • Applied the setgid bit on the folder sudo chmod g+s /var/www/html so that newly created files and folder belong to the same group to avoid access issues.

Once all that is done, how exactly do I properly secure the /var/www/html folder?

I read somewhere that in a perfect world, the folder would have chmod set to 640 or 2750, and that the www-data user should only have read access, where you manually give it write access to upload folders and so on.

Am I missing something important here?

I'm trying my best to learn.

Dixos
  • 23
  • Whether www-data is owner of the document directory, highly depends on which application/CMS will be placed inside. For example WordPres and nextCloud would like www-data to be owner of their DocumentRoot directories, because they will write inside, will do updates, etc. On other hand MediaWiki will need to have write access only to certain directories, e.g. uploads, etc. – pa4080 Aug 07 '19 at 10:09
  • @pa4080 Right. I don't think we'll be using Wordpress, all though uploads through PHP will be a thing. If memory serves, PHP would also like www-data to be the owner of the directory? – Dixos Aug 07 '19 at 10:37
  • At all, if you don't need to do any changes to the server's file system (e.g. upload files write data in a files, etc.) via the web server, www-data needs only read permissions to the files, and read-execute permissions to the directories. So the default permissions 755 to the directories (where where last 5 means r-x for the other users) and 644 to the files (where the lat 4 means r for the other users) should be enough (when all folders are owned by root:webmasters)... if you need help to set these permissions, I could write ana answer. – pa4080 Aug 07 '19 at 10:48
  • @pa4080 I'd apperciate that! There is a single folder data where the webserver/client will upload/edit data in, beyond that it shouldn't be a problem. Just manually set that folder (and subfolders) to 775 I assume? – Dixos Aug 07 '19 at 10:54

1 Answers1

1

According to what is already done, and according to our discussion, I think you need to do these steps.

First, it is not required www-data to be a member of the group webmasters. So I think you need to remove it from that group.

The right way to setup permissions to the files and directories separately and recursively is to use find:

# Dial with the permissions recursively
sudo find /var/www/ -type f -exec chmod 664 {} +  # set -rw-rw-r-- for all files
sudo find /var/www/ -type d -exec chmod 775 {} +  # set drwxrwxr-x for all directories
sudo find /var/www/ -type d -exec chmod g+s {} +  # set drwxrwsr-x for all directories

# Dial with the ownership 
sudo chown -R root:webmasters /var/www/ # change user :group for the whole tree of /var/www

# Dial with the directory where `www-data` should have write permissions, e.g. for upload
sudo chown www-data /var/www/data

Thus:

  • The content of /var/www will be initially owned by the user root and group webmasters.

  • The members of the group webmasters will be able to write and modify the content of the directories in /var/www via the group permissons and setgid.

  • www-data will have read permission to the files and read-execute to the directories (note the execute permissions to the directories has different meaning than to the files), via the permissions of the other users. So Apache2 will able to display the content...

  • www-data will be able to write content in /var/www/data, because it is the owner.

pa4080
  • 29,831