write permissions on files and folder outside document root

Question

With reference to the answer in the this thread, I would like to ask about another case where we have to save important files in a folder above the document root to protect important user data ( say the user pics). I would like to ask as follows:-

1. Is it good practice to save important user data files outside the document root?
2. If yes, then what would be the best way to define file and folder permissions for such a folder so that apache can write and serve these securely while protecting the rest of the server.

Thanks.

Rephrasing my question after using the information received in reply to the above:

chown -R user:apache /var/www/mysite.com

with directory structure

           ( 750)     (750)
/var/www/mysite.com/  html ()  (730)  
                   \ internal\uploads\test.jpg (660)
                             \ (710)
                             \scripts\test.php (640)
                             \ (710)
                             \functions\fn.php (640)

DOCROOT is html. OUTSIDE DOCROOT is internals. uploads stores profile pics of users and need g+rw perms for files for user apache while folder uploads needs w_x perms.

Would you say that these permissions as shown in the folders structure are correct? With these permissions, should I be worried about the fact that apache traverses outside the root to write the files in uploads?

Answer 1

1. Yes. I believe it is best to put anything you alter (even the configuration files) on a different partition so you can backup this partition by itself. You can use symlinks and/or "cp" to connect it together. Create a script to do that.

2. Well that is both simple and difficult to answer: do not add permissions more than you want for that specific file. If it does not need execution permissions don't add it. If a file only needs to be read do not add write permissions. Never ever use chmod 777 as this totally kills any security. That is the simple answer.

   A slightly more elaborate answer...

   If you use ftp/ssh create a user for each person and add the/those user(s) to the group you set apache to (likely apache) and then focus on setting permissions for the group and not for an individual user. For others I would always disable permissions. Reason: if another person complains something is forbidden that that person should be allowed to do you know it is a problem related to the group setting of that user. And that makes it an easy fix.

   If the server is a single user setup you can focus on setting permissions on the user apache uses and you can lower the permissions for the group. You can however also use the group method for 1 user.

   A generic 1st approach (f for files, d for directories) setting up for a user:

   find /var/www/ -type f -print0 | xargs -0 chmod 640
   find /var/www/ -type d -print0 | xargs -0 chmod 750
   

   This disables "others". If you want to use a group change those to 460 or 660 and 570 or 770 (the 2nd pair of those also enables user). If there are any files in /var/www/ that require execution they should not be there so you will catch those with this setup (those should be in a cgi-bin/ directory outside of /var/www/).

   If you use groups you can add your normal user to the apache group.

   And I would myself not use the admin user but a dedicated user just for maintaining the website. Keep the admin for emergencies and setting up.