Home / ubuntu / Questions / 1254809
Accepted
emma
Asked: 2020-06-30 06:26:25 +0800 CST

Giving owner permissions to www-data: is it a security risk?

  • 772

I have a small website running on a VPS. I'm using Nginx as a web server (a simple LEMP configuration). But now i have a problem: i have a small php script that needs to be able to write a log every once in a while...and for that to work i've given owner permissions to www-data over /var/www/html/ after i ren chmod -R 755 /var/www/html as root. But once i gave owner permissions to www-data user over /var/www/html/ and i was, obviously, able to run that php script which has to write some logs i started to ask myself: isn't this going to be a HUGE security issue?

So, is making www-data the owner of /var/www/html/ a security issue?

If yes, can you tell me why and what's to be done about it?

Thank you!

permissions nginx chown 18.04

1 Answers

  1. Best Answer

    So, is making www-data the owner of /var/www/html/ a security issue?

    No. You can also use "group" www-data.

    But this is ...

    chmod -R 755 /var/www/html

    Generally you need 2 commands: 1 for directories and 1 for files. Setting every file to executable is bad. You should use this:

    find /var/www/html -type d -print0 | xargs -0 chmod 750
find /var/www/html -type f -print0 | xargs -0 chmod 640
    • execute permissions for directory.
    • read permissions for files.
    • No permissions for others (if there is a flaw in the design of the website this is what will alarm you with errors in access.log).

    If you really need your script to be executed you set THAT script itself and not the whole website.

    You can also use php-cli (or php-cgi if it is cgi) to execute a php script from command line without the need to set the script itself executable.

    • 1