0

I created a Laravel project using my user. But now I added code that creates folders and files. The files and folders created by the PHP code are owned by www-data user and group. So when I check ownerships and permissions inside the root directory, I see the entire project is a mix of different ownerships for the folders and files, of my user and www-data.

That happened because the project itself was created by me so most of the files are owned by my user name and user group.

But now as I work on the project, I'm writing code that makes the web server create files and folders and it's owned by www-data user and group.

The problem is I am using VSCode Remote (with SSH) and then I can't access/edit the files created by the server with my user so I just chown every time, because I'm currently working on a file storing script. So I want to see if my script worked and created the correct files so I have to chown it right now to access them

But how can I make my user be able to also view/edit the files created by www-data securely without needing to chown every time?

I know there are a few approaches and I was recommended by some to use setfacl command. Or maybe I should add my user to www-data group? But I was told me this approach is bad (in production) because if someone gets access to the web server he gets access to the entire system.

What would be a good practice to allow my user to access (read/write) files created by the server.

Also, since the rest of the project is owned by me (not newly created files), should I also changed that to be owned by www-data?

Foobarer
  • 367
  • 1
  • 8
  • 16
  • One generally does not "develop in production". Is it not possible to develop locally where you can have Apache run with your credentials and then deploy to the production server via source control? This would reduce a situation in the future where people are terrified of upgrading/replacing the current production server because there's so much hand-tweaked stuff on production that doesn't exist anywhere else. Ideally production systems should be "as disposable as possible" so that you can rebuild from source in minutes rather than weeks – matigo Nov 18 '22 at 09:43
  • thank you, you are correct . Then maybe I should change the purpose of why I'm doing that because as you said it doesn't make sense for a production server. It's actually rather a mix of development and production server, because I'm working on a personal project, and as I develop it, I give some people access to the website to view it. So I guess I need it only for that, but not real production – Foobarer Nov 18 '22 at 09:47
  • Does this answer your question? How to avoid using sudo when working in /var/www? – muru Nov 18 '22 at 09:55
  • @muru Haha I've been using this post for a long time! (I have it in my browser's boomarks). But then I was suggested that I should use setfacl instead, because the approach in the post above is adding your user to the www-data group, which is exactly why someone told me it's risky in case some one takes control of the web server somehow. Of course, it might be rare but I really want to understand why they said that and try this approach, unless you say that this is also secure enough – Foobarer Nov 18 '22 at 10:03
  • @B.DLiroy you'll have to clarify what the risk is here: how do they envision your user being a member of the www-data group being a threat vector when the web server processes are compromised? – muru Nov 18 '22 at 10:09
  • IMO I don't see much of a difference between setgid/group-membership vs ACLs either way here. I could see ACLs being used if you want to give access to some particular location without granting access to other locations that the group has access to, but in a development server like the one you talk about, I don't see why your user shouldn't have access to anything that the www-data group has access to. – muru Nov 18 '22 at 10:13
  • @muru yes, that's exactly what I was told - that if my user is added to that group it's a threat vector if the web server is compromised because then the attacker will have access to anything that the user has access to? – Foobarer Nov 18 '22 at 11:27
  • @muru and to be honest, I didn't quite understand how because I never dealt with security but I am curious as to how exactly is this a risk vector, maybe a simple example would help me understand what is the meaning here – Foobarer Nov 18 '22 at 11:53
  • I think you should ask this person to clarify how exactly they imagine this happening, since as far as I know, I can't simply start accessing some other user's files just because we happen to be in the same group - except only those files which are of that group. Otherwise the group of a file wouldn't matter at all – muru Nov 18 '22 at 13:36

0 Answers0