File / Folder / User permissions regarding /var/www

[danni]

Hello,

Im currently reading about permissions / rights, due to me wanting to secure my apache installation as much as possible.

But each site is telling me something different, so its hard to tell whats right or wrong.

As I understand, apache should'nt own file / folder within /var/www/html/, but instead a user.

Currently root:root seems to own everything in /var/www and in /var/www/html, but my brain tells me that must be wrong.

Can someone share some light on this area ?

 

 

[Aldryic C'boas]

Apache's (and most httpds) default user is www-data.  chown -R www-data:www-data /var/www would be your quickest fix.

 

[perennate]

Having root own it is not insecure as it will still be executed by the web user (e.g. www-data) when the web server executes it (unless set uid for some reason is set, but most likely it's not).

 

[raindog308]

775 is what you want.


chmod -R 755 /var/www/

No!  That makes every file in /var/www executable (and executable by anyone).  Is that really what you want!?

Maybe


find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

...which would make directories and files world readable, but nothing executable.

However, before you go into these global finger-of-god commands, you might consider that some applications have specific requirements and recommendations - for example, an uploads directory may need to be world-writeable, while a config directory definitely shouldn't be, etc.  Shotgunning new permissions across a diverse web root might end up in sorrow.

As I understand, apache should'nt own file / folder within /var/www/html/, but instead a user.

Currently root:root seems to own everything in /var/www and in /var/www/html, but my brain tells me that must be wrong.

Not necessarily.  We're kind of into philosophy.  Aldryic says:

Apache's (and most httpds) default user is www-data.  chown -R www-data:www-data /var/www would be your quickest fix.

...which is a common approach.  

But another option is to make another user (or root - really doesn't matter) own all the files.  The advantage to this is that the web server is running as www-data (or whatever user) and if dirs/files are 755/644 and owned by root/some other user, the web server will be able to read the files, but won't be able to modify them.  So if there is some vulnerability in code, you have apache prevented from modifying the files, creating new files, etc.

This is hardly the only attack vector, of course.  Different people take different approaches but that's the thinking for why root might own files in /var/www/html.

 

[GIANT_CRAB]

775 is what you want.


chmod -R 755 /var/www/

not enough troll, we need chmod -R 777 /var/www

 

[HalfEatenPie]

Moved to Question and Answers forum!  

 

[Taronyu]

Moved to Question and Answers forum!  

You might aswell remove the troll comments before anyone that doesn't know what they are doing executes it.

 

[danni]

Thanks for the reply's

 

[Munzy]

Woops NM

 

[raindog308]

@raindog308

You are thinking of 777, that is executable by everyone.

775 is executable by Owner and Group, not everyone.

Nope.  755 is executable by everyone.  775 would also be executable by everyone, btw.

5 = read + execute

7 = read, write, execute

Easy way to remember is:

Read = 4 points

Write (Modify) = 2 points

Execute = 1 point

Just add 'em up.  Read (4) + Execute (1) = 5.  

Then left to right, it's Owner, Group, Everyone.

 

[Roger]

As I understand, apache should'nt own file / folder within /var/www/html/, but instead a user.

Currently root:root seems to own everything in /var/www and in /var/www/html, but my brain tells me that must be wrong.


Can someone share some light on this area ?

Apache and Linux can be configured in several ways in order for you to strengthen its security. Root can own those files and folders. You can even change the server's root folder. In the end, it all depends on how you handle SELinux context to limit what Apache, and its users, can do.

SELinux provides confinement on an application if the application has been hacked, even if the application is running as root or any other full fledged administrator privileges.

For instance SELinux allows a process with the Apache label (httpd_t) to share data labeled as "read/only Apache content" (httpd_sys_content_t httpd_sys_content_rw_t). In the same way, SELinux will block Apache processes from reading data labeled as user's home content (user_home_t).

It is up to how you manage SELinux Apache context as to what the web server processes will be limited to access your folder files, even if owned as root.

 

[sshgroup]

must be owner and the group be apache and rest of permissions 0755  in specific cases even lower