Security – WebServer Permission problem, Ubuntu & Lighttpd

apache-2.2lighttpdpermissionsSecurity

Just setup lighttpd on Ubuntu 9.04, but struggling with the permissions. The website loads fine, as i am using Fast CGI, however my media (Javascript, CSS, Images) wont load.

I enabled the logging option in the config file:

debug.log-request-handling = "enable"

I get the following in the log file:

2009-08-16 02:42:27: (response.c.473)
— handling physical path 2009-08-16 02:42:27: (response.c.474) Path
:
/var/www/sites/mysite.com/http/media/css/style.css
2009-08-16 02:42:27: (response.c.520)
— access denied

I then went and checked the permission on all those directories, changed them so www-data group has permission but i still get 403 forbidden errors and errors in the log file.

i ran:

chgrp -R id:www-data css/
chmod -R g+rx css/

and ls -l

> id@mysite.com:/var/www/sites/mysite.com/http/media$
> ls -l total 12 drwxr----- 2 id
> www-data 4096 Aug 16 01:59 css
> drwxr----- 2 id www-data 4096 Aug 16
> 02:00 images drwxr----- 3 id www-data
> 4096 Aug 16 02:00 js

Tried granting the www-data user rwx permissions as well, and still get forbidden errors.

How can i fix this?
It's possible that the server is not using the www-data user, how can i check that it's running under this user?

Best Answer

If you are using the Ubuntu package and didn't change things too much, the running process name should be lighttpd and the default user and group names are both www-data. Check the server.username and server.groupname entries in your config file (/etc/lighttpd/lighttpd.conf) to be certain.

Running ps -fC lighttpd should tell you if it is running and the user id that is is running as. On my system the output looks like

  • rik@mary:/home/rik$ ps -fC lighttpd
  • UID PID PPID C STIME TTY TIME CMD
  • www-data 667 1 0 03:50 ? 00:00:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

Everything you want displayed under your document-root should be readable by the www-data user and the directories need to be executable by www-data as well. To test this you may want to try using find as the user www-data. The sudo command can help with this. sudo -u www-data find /var/www/sites/mysite.com/http/media/css/ should succeed. If not try again one step up with sudo -u www-data find /var/www/sites/mysite.com/http/media/ and so on until find can return file and directory names. Once there the run the chown and chmod commands against that directory without the -R (recursive) flag. Then test again.

If you are comfortable with all of the files and directories under /var/www/sites/mysite.com/http/media being readable by anyone, you may want to chmod all the files as 644 and the dirs as 755. If you have files that need to have the execute bit set this can be a bit more of a problem unless the all have distinctive extensions. This is done using the -type, -exec, and -name flags like:

  1. chown -R id:www-data /var/www/sites/mysite.com/http/media

  2. find /var/www/sites/mysite.com/http/media -type d -exec chmod 755 {} \;

  3. find /var/www/sites/mysite.com/http/media -type f -exec chmod 644 {} \;

  4. find /var/www/sites/mysite.com/http/media -type f -name '*.php' -exec chmod 755 {} \;

    If you don't want lighty to access other files an/or dirs in the tree, you will need to handle things differently. It is always easier if you keep files you want readable in a different directory from those you want kept out of the public eye.

Related Topic