Home / ubuntu / Questions / 1115979
In Process
alebal
Asked: 2019-02-06 19:40:28 +0800 CST

Apache permissions to allow both user and web server to edit /var/www

  • 772

For security reasons I would like to disable root access via ssh.

I created a new user (user1) with administrative permissions.

adduser user1
usermod -aG sudo user1

and assigned the /www directory to this user.

sudo chown -R $USER:$USER /var/www/
sudo chmod -R 755 /var/www

(My folders structure is www/site1.com, www/site2.com, etc.)

My sites need to write some files (such as sitemaps, rss feeds, etc.) so I set the permissions of the www directory to:

sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www

Now, however, user user1 works perfectly via shell with the sudo command, but can no longer add/edit/delete files and folders in the /www directory and its subdirectories via sftp.

I read many guides, how to set up apache permissions to increase security, to share administration with other users, etc. etc. etc.

But I still did not understand how to solve my problem.

Currently to be able to handle files on my server via sftp I have to use the root user, with peace of mind for security.

Did I miss something about setting user or folders permissions?

permissions root apache2

2 Answers

  1. It's possible to set different group and user access for files and directories, and this will allow both Apache and your user1 user to edit what's in /var/www without requiring root/sudo and without making anything world-writable.

    So, set the "user" permission inside /var/www to user1. Set the "group" permission to www-data (but ONLY for the specific files or directories that the web server needs to write to).

    sudo chown -R user1:user1 /var/www
sudo chgrp www-data /var/www/specific-file

    You should avoid letting the web server write to the entire /var/www directory and its contents, instead giving the above group permission only to the specific files where this is necessary. It is a good security principle to limit the web server's access to write to files to only those files that it is strictly necessary for - and it is a good idea to try and ensure those files are not executed directly (aren't .php or other executable scripts, for example).

    • 7

  2. If you change the directory with a setgid bit, these problems should be history.

    Try this

    chmod 2775 /var/www

    With the setgid bit set, all files in this directory belong to the group www-data (this should be the standard user and group of the folder, www-data:www-data) and not a user.

    So as long as user1 is in the group www-data, the user should be able to modify, delete and open files.

    Give it a try.

    First enter the user to the appropriate group. Simplest way

    sudo nano /etc/group

    Find www-data and enter user1 after the ":" at the end

    LOGOUT/LOGIN again

    Now create the folder e.g.

    sudo mkdir /var/www2

    and then put the setgid bit on it

    sudo chmod 2775 /var/www2 && sudo chown www-data:www-data /var/www2

    now enter the folder, create another folder or file. It should work and look something like this (please make sure you see the "s" when using ls)

    See here e.g.

    simmel@tron:/var/www2
$ ls -la
total 0
drwxrwsr-x 1 www-data www-data   8 Feb 21 10:28 .
drwxr-xr-x 1 root     root     126 Feb 21 10:26 ..
drwxrwsr-x 1 simmel   www-data   0 Feb 21 10:28 blah

    As you can see for the group part there is a RWS shown instead of RWX shown.

    • 0