Linux Web Server Permissions - Best Practices

I wrote a simple script for my WordPress site. This script gives Apache only write-access to what it needs to write to. Everything else under the webroot is read-only. I think this is a good step towards a more secure site, and should be practiced.

#!/bin/bash

PATH=/bin:/usr/bin
WEBROOT="/var/www/www.example.com"

UPLOADS="${WEBROOT}/wp-content/uploads"

chown -R nobody:nogroup ${WEBROOT}
find ${WEBROOT} -type d -exec chmod 0555 {} \;
find ${WEBROOT} -type f -exec chmod 0444 {} \;

chown nobody:www-data ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz
chmod 0464 ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz

chown -R nobody:www-data ${UPLOADS}
find ${UPLOADS} -type d -exec chmod 2575 {} \;
find ${UPLOADS} -type f -exec chmod 0464 {} \;

The principle of least privilege applies. Only give users the rights they need and no more.

In this case, if apache is only serving up pages, give the user acct no rights to edit. Possible risks include: changing file content or uploading new one; adding executable code to files, etc. These risks exists regardless of whether it is a single site up multiples. If the application has a need to edit a specific file, restrict permissions changes to that file.

I wouldn't see why not. If there is one site, this should be ok. But do mind you might want to grant read only to some files. (well whitelist if they need write access :) )

Even if you have only one website, compromising apache user will enable the hacker to change the files under /var/www if the folder is writable by apache user.