Are these LAMP permissions secure? - 【StackMirror】|linux|apache|security|ubuntu|permissions

I have a LAMP server where I've run the following commands to set permissions of files in /var/www:

groupadd web
usermod -a -G web my_user
chown -R root:web /var/www
chmod -R 775 /var/www
chmod -R g+s /var/www

My goal is to have all files writable by any member of the "web" group. Is there a secure way to allow file uploads (e.g. within Wordpress) without changing the file ownership? Note: this is a private server.

2012-04-03 19:26
by Trent Scott

I think you need to cleanly separate those things that you want users logged into the system to be able to edit vs. those things that must be writeable by the web user to function properly (e.g., an upload directory). If your Apache server is running with credentials that give it write access to your entire web hierachy, somebody is going to put viagra advertisements on your server - larsks 2012-04-03 20:06

Yea -- don't want that. The "web" group (above) should just be for root and webmasters to be able to read/write files via SFTP. My understanding is that www-data (the default Apache user) would only get read permissions because of the chmod 775 command above. Am I as safe as I think with that setup? Is it best to just not have any directories writable by the web user (chmod 777), including upload directories - Trent Scott 2012-04-03 20:24

Watch out with that chmod -R g+s /var/www command. For directories, the s bit causes a change to the default group of files within the directory, but for executable regular files, it means something different. With this command, you will accidentally create setgid executables. You need to apply this command only to directories, not recursively to everything - Celada 2012-04-03 20:26

How do I fix that? Run chmod -R g-s /var/www and go back and apply it without the recursive flag to directories only - Trent Scott 2012-04-03 20:27

@larsks - "If your Apache server is running with credentials that give it write access to your entire web hierachy, somebody is going to put viagra advertisements on your server." Can you explain that statement? How would that happen - Yarin 2012-12-17 00:52

@trent - See also http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-va - Yarin 2012-12-17 00:53

One way of applying permissions to just directories is to use the find command. For example:

# Set the owner and group on everything.
chown -R root:web /var/www

# Make *directories* read/write/execute and set the `sgid` bit.
find /var/www -type d -print | xargs chmod g+rwxs

You don't want to run chmod -R 775 /var/www because this will make all your files executable, which is probably not what you want.

2012-04-04 12:56
by larsks

Thanks! What should I change the 775 permissions to? 774 - Trent Scott 2012-04-04 19:13

In general, you don't want files to be executable unless you really mean for people to run them. Given a file mode like 775, each digit corresponds to a set of three permission bits expressed in octal notation. So 7 means rwx (all bits set). Static files should probably be owner- and group- writable, given your goals, and readable by everybody. That's mode 664, or rw-rw-r. CGI scripts and so forth will need to be executable - larsks 2012-04-04 20:02