Linux – How to setup linux permissions for the WWW folder

chmodlinuxpermissions

Updated Summary

The /var/www directory is owned by root:root which means that no one can use it and it's entirely useless. Since we all want a web server that actually works (and no-one should be logging in as "root"), then we need to fix this.

Only two entities need access.

PHP/Perl/Ruby/Python all need access to the folders and files since they create many of them (i.e. /uploads/). These scripting languages should be running under nginx or apache (or even some other thing like FastCGI for PHP).
The developers

How do they get access? I know that someone, somewhere has done this before. With however-many billions of websites out there you would think that there would be more information on this topic.

I know that 777 is full read/write/execute permission for owner/group/other. So this doesn't seem to be ~~needed~~ correct as it gives random users full permissions.

What permissions are need to be used on /var/www so that:

Source control like git or svn
Users in a group like "websites" (or even added to "www-data")
Servers like apache or lighthttpd
And PHP/Perl/Ruby

can all read, create, and run files (and directories) there?

If I'm correct, Ruby and PHP scripts are not "executed" directly – but passed to an interpreter. So there is no need for execute permission on files in /var/www…? Therefore, it seems like the correct permission would be chmod -R 1660 which would make

all files shareable by these four entities
all files non-executable by mistake
block everyone else from the directory entirely
set the permission mode to "sticky" for all future files

Is this correct?

Update 1: I just realized that files and directories might need different permissions – I was talking about files above so i'm not sure what the directory permissions would need to be.

Update 2: The folder structure of /var/www changes drastically as one of the four entities above are always adding (and sometimes removing) folders and sub folders many levels deep. They also create and remove files that the other 3 entities might need read/write access to. Therefore, the permissions need to do the four things above for both files and directories. Since none of them should need execute permission (see question about ruby/php above) I would assume that rw-rw-r-- permission would be all that is needed and completely safe since these four entities are run by trusted personnel (see #2) and all other users on the system only have read access.

Update 3: This is for personal development machines and private company servers. No random "web customers" like a shared host.

Update 4: This article by slicehost seems to be the best at explaining what is needed to setup permissions for your www folder. However, I'm not sure what user or group apache/nginx with PHP OR svn/git run as and how to change them.

Update 5: I have (I think) finally found a way to get this all to work (answer below). However, I don't know if this is the correct and SECURE way to do this. Therefore I have started a bounty. The person who has the best method of securing and managing the www directory wins.

Best Answer

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Related Solutions

Linux – What’s the best way of handling permissions for Apache 2’s user www-data in /var/www

Attempting to expand on @Zoredache's answer, as I give this a go myself:

Create a new group (www-pub) and add the users to that group

groupadd www-pub

usermod -a -G www-pub usera ## must use -a to append to existing groups

usermod -a -G www-pub userb

groups usera ## display groups for user
Change the ownership of everything under /var/www to root:www-pub

chown -R root:www-pub /var/www ## -R for recursive
Change the permissions of all the folders to 2775

chmod 2775 /var/www ## 2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data user)

Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other options are SETUID (4) to copy the user id, and STICKY (1) which I think lets only the owner delete files.

There's a -R recursive option, but that won't discriminate between files and folders, so you have to use find, like so:

find /var/www -type d -exec chmod 2775 {} +
Change all the files to 0664

find /var/www -type f -exec chmod 0664 {} +
Change the umask for your users to 0002

The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by one user will be writable by other users in the www-group without needing to chmod them.

Test all this by creating a file and directory and verifying the owner, group and permissions with ls -l.

Note: You'll need to logout/in for changes to your groups to take effect!

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Updated Summary

Best Answer

Related Solutions

Linux – What’s the best way of handling permissions for Apache 2’s user www-data in /var/www

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic