In short : is it safe to grant root (user) access to www-data?
Longer statement : as a lot of questions asked on this using chmod g+s, POSIX ACLs and other sites umask as to the appropriate way of granting privileges to /var/www/html etc, but mine is a little different, and all that I've tried doesn't seem to solve the issue.
/var/www/project/html <- contains all web based files /var/www/project/log <- contains all project based logs
I also have crontab set up for the root user to perform maintenance etc. Within those maintenance scripts (mostly PHP so that I can use my common function library), I have the results also piped to the log folder, under the same log file for the day, some scripts run once a day, others (can) run every minute.
In bringing my application up (through Vagrant) I leave it for a few minutes (so that my cron jobs can post to the log file) and then I log into the application. Immediately I get an error writing to the days log file. Upon checking, sure enough it's owned by root:root - of course, the cron jobs have created it (if it didn't already exist)...
But! As part of the installation script in building the application, I perform the following towards the end:
chown -R www-data:www-data /var/www/project
chmod -R 775 /var/www/project
chmod g+s /var/www/project
... after which my server reboots (host name also changes before reboot).
(Please note : I've also tried the above with a trailing /)
My understanding of the last command ("g+s") is that any new file that's created under that folder, would adopt the permissions of the parent folder. That's obviously not the case, as root is creating the file, and its permissions are root:root.
Performing various "ls -l" I see (removing filesize, timestamps etc):
/var/www # ls -l
drwxrwsr-- www-data www-data project
/var/www # cd project
/var/www/project # ls -l
drwxrwsr-- www-data www-data html
drwxrwsr-- www-data www-data log
/var/www/project # cd log
/var/www/project/log # ls -l
-rw-r--r-- root root 170309.log
So ... I delete that log file and then repeat the chown, chmod and chmod g+s commands to see if it was the reboot, or hostname change, that's throwing me off ... and sure enough, my maintenance script creates the log file once again, with root:root privileges.
If I leave the file there, and repeat the commands, I get the result I was kind of looking for:
/var/www/project/log # ls -l
-rwxrwxr-- 2 www-data www-data 170309.log
However, I'm not necessarily going to have the option of applying these commands after the system reboots, and I'm sure that the following day, I'm going to run into the same issues as the log file will be different and my maintenance script is going to create it first.
AFAICS, I have a couple of solutions:
- When the function that creates the log file (either through the cron job or through the application), I check to see if it already exists and if it doesn't, create it and then "chown www-data:www-data todaysLogFile" and then "chmod 774" it afterwards ... a work-around perhaps, rather than a solution
- add root to the www-data group (any potential security issues? would it help?)
- use POSIX ACLs
I'm really after a rock solid solution here, rather than hacks or work-arounds. I know I'm not the only one out there doing this, but there HAS to be an easier way!!! :O)
www-data? – muru Mar 10 '17 at 01:42Interestingly, I've come in today and found that today's log file had the correct ownership :
That's definitely a step forward! However, the group permissions are set to read only...
– bnoeafk Mar 10 '17 at 16:41