The user wants to let PHP write files in his /home/ directory, he is advising me to do usermod -a -G www-data username where username is his username. I wasn't sure if this was a security issue or not.
What is the best way approaching this?
SnapOverflow
The proposed command adds the user to the
www-datagroup. This may give him unintended extra permissions, in particular he'll be able to access any file that's restricted to thewww-datagroup. This is probably a lot more than you intended.For example, suppose two users make this request and get added to the
www-datagroup, and each user opens up~/www-sharedto thewww-datagroup. Then each will be able to read and write to the other'swww-shareddirectory.Access control lists look a lot more appropriate for the stated purpose. This requires that your operating system and filesystem support ACLs. On Linux, make sure that the filesystem is mounted with the
acloption. Then the user can runsetfacl -m user:www-data:rwx ~/www-sharedto share a directory with thewww-datauser.Still, this problem sounds like something many people running web servers have faced before. So there may be a much better solution involving the Apache toolbox.
This is not a good idea because the user www-data will be in the group of the user. So the webserver may manipulate all files of this user.
Also, any other users on the system are then able to read and write from the files of the given user via a simple php script.
It's generally not a good idea to give the webserver more write/read access, than needed. So you might want to widen the permissions only in the directory (or even on the file) which needs write access. This can be an upload directory, for example.
like...