2

As a webmaster I need fast access to /var/www, what should I set in dir permissions to get rid of 'open as admin' in order to file modification and creation? Yet I want it safe as modificable from my machine only.

Or is there a way to always open everything as admin?

Esamo
  • 1,522
  • 2
  • 16
  • 28

4 Answers4

2

here's my suggestion:

$ sudo chown www-data:www-data -R /var/www

(changes the permissions to be owned by www-data). I'm not sure why it defaults to root anyways.

$ sudo gpasswd -a $USER www-data   (add yourself to the www-data group)
$ sudo chmod g+rw -R /var/www  #make all files write by group owner.
$ sudo find -type d -exec chmod g+rwx {} \;  #find folders and make sure group has rwx access.

logout, log back in.

you should now be able to write any files as yourself.

You could simply chown /var/www to your $USER, though I wouldn't recommend it. partly because it's insecure, and partly because I think some things will probably break if you do.

csgeek
  • 1,659
  • What about security of setting chown -R root:$USER /var/www? If it is unsecure, why? – Esamo Dec 19 '13 at 05:02
  • 1
    your webserver runs as www-data which is a limited user. In case someone can take advantage of a security exploit and get a shell access to the machine as user www-data. That user is very limited in what it can do. So it's a bit more work for them to go from www-data to say root. Which is why usually the apache process runs as www-data, your mail service runs as its own user etc. You're sandboxing the process a bit. Most of these users don't usually even have shell access. or a password set. (no password == no ssh access ) – csgeek Dec 31 '13 at 17:18
  • Shouldn't it be sudo gpasswd -a $USER www-data? We want to add the user to the www-data group, not the other way around. – kaerimasu Dec 28 '17 at 15:09
  • @kaerimasu Oops. Nice catch. I fixed it in the body. – csgeek Dec 29 '17 at 18:37
1

I'm assuming your talking about Apache. If that's the case, I would set the user and group to the user apache is running under (this can be found out with ps aux|grep apache|awk '{print $1}'). This will make the files and directory only editable by root. Here's the command to change permissions (if apache is the user):

 chown -R www-data:www-data /var/www
krab
  • 13
SameOldNick
  • 111
  • 4
  • Wouldn't that be less secure, because a compromised web server process would itself be able to change the files? It seems like the content should be read-only to the web server process. – Paul Dec 18 '13 at 04:13
  • @Paul that doesn't work for instances where the system requires the ability to write to the system as the web server (Wordpress for instance). They can do user:group, where user is their user, and group is www-data, but that does require you to have your server and access to the login(s) pretty well locked down (i.e. SSH key auth only for a remote server) – Thomas Ward Dec 18 '13 at 04:34
1

Or is there a way to always open everything as admin?

May be you want:

cd /var/www/
sudo -u www-data
krab
  • 13
1

i used this command

Sudo chown -Rv www-data /var/www

Dont need to logout / end your desktop season. i log always as root when i want to work in localhost, after i add some files i always use that command.

Anggagewor
  • 41
  • 1
  • 1
  • 7