I'm trying to configure a Linux server with secure permissions in /var/www. I've read that you shouldn't add your user account to the www-data group for various reasons. Instead, it's best (I'm told) to create a separate developer's group.

Here's what I came up with:

group add developers
usermod -a -G developers my_account
chown -R root:developers /var/www
find /var/www/ -type d -exec chmod 775 {} \;
find /var/www -type d -print | xargs chmod g+rwxs
find /var/www/ -type f -exec chmod 664 {} \;

Also, edit /etc/apache2/envvars and add:

umask 002

Questions:

(a). Is this reasonably secure? (b). Is any of this redundant? (c). Does this setup require any change of the default umask? If so, to what?

• linux
• apache
• ubuntu
• permissions
• lamp

On redundancy, these lines nearly duplicate each other:

find /var/www/ -type d -exec chmod 775 {} \;
find /var/www -type d -print | xargs chmod g+rwxs

the first sets all permissions, the second is just changing the group permissions. For this part, it's setting everything the same as the first except for the sticky bit.

I'd suggest using the former (as this sets permissions absolutely), but modify it to include the sticky bit, using either of these:

find /var/www/ -type d -exec chmod 2775 {} \;

or alternatively:

find /var/www -type d -print | xargs chmod 2775

they do exactly the same thing, but the second is more efficient: the former calls chmod for every file, the latter calls chmod on a group of files, so starts chmod less often.

On the umask, I assume you want the developers group to have write access, but have the files world readable? In which case, you'll want umask 002. I don't know what your default umask is, so don't know if this needs changing.