Ubuntu – what permissions should I give to a folder on apache when it demands write and execute permissions

content-managementSecurityUbuntuweb-server

I am trying to get a few Content Management Systems up and running.
But I have security concerns with respect to them

1) please see following link
http://www.dokeos.com/doc/installation_guide.html section 2 says
The following directories need to be readable, writeable and executable for
everyone:

dokeos/main/inc/conf/
dokeos/main/upload/users/
dokeos/main/default_course_document/
dokeos/archive/
dokeos/courses/
dokeos/home/

I am not very happy with this idea of having directories to be
readable,writeable and executable for every one.

2) http://doc.claroline.net/en/index.php/Install_general_information

the section
Rights on folders says

" If you don't want to set write access on the whole folders, which is
recommended for security reasons, give to the web server user write access on
these folders : "

Is this a recommended practice.?

3) Also another LMS (Learning Management System) while installing asked to give
some folders writeable and executable for every one
here is a link
http://atutor.ca/atutor/docs/installation.php
While installing it I got a message

“The directory you specify must be created if it does not already exist  
and be writeable by the webserver. On
Unix machines issue the command chmod
a+rwx content, additionally the path
may not contain any symbolic links.
chmod a+rwx /var/www/atutor/content”

4) Another LMS docebolms asked to give write permissions on

files/doceboCore/photo
files/common/users
files/doceboLms/course
files/doceboLms/forum
files/doceboLms/item
files/doceboLms/message
files/doceboLms/project
files/doceboLms/scorm
files/doceboLms/test

I checked its documentation
http://www.docebo.org/doceboCms/index.php?mn=docs&op=docsπ=5_4&folder=7
but was not that helpful.

I am not at all convinced by the idea of giving permissions to read,write and
execute as these Learning Management Systems say.
Let me know what you people have to say?
What is the best practise in such situations?

Best Answer

You're right to be concerned, and too many application vendors resort to telling you you need to grant full permissions to every user in order to avoid problems. They do this to minimize support calls, rather than to maximize security.

It does make sense that the web server account would need write access to certain directories to store uploads or generated files. And execute access on directories is required in Unix in order for the contents of the directory to be enumerated by a user, so that will also be necessary.

Ultimately, what you want is for the user account that is running the web server process (most likely www-data if you are using a packaged web server on Ubuntu) to own the folders in question, and then the standard permissions of 755 (rwxr-xr-x) are sufficient, or if you are on a shared system with other untrusted users, you'd want 700 (rwx------).

So, in your first example, assuming those directories already exist, you would need to do this:

$ sudo chown -R www-data:www-data dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/
$ sudo chmod 755 dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/

Again, if you are on a shared system, you may wish to replace "755" with "700" on the second line. If you know that www-data is not the user running your web server, replace that item with the correct value. You can run the same two commands on the directories for the second system as well. In both cases, write access is probably necessary, but only for the single user running the web server, not for everyone.

Good luck.

Related Solutions

Security – Apache service server demon priviiges (with respect to web directory structure, permissions and security)

If you're having trouble changing the group on the folder, make sure that you're root. You can't change the group of a folder or file unless you are the owner and in the group, or you're the superuser.

Ditch the admin GUI and open a shell. (Terminal, xterm, etc.)

chgrp www-data /home/morpheous/work/websites/testproject
chmod 2770 /home/morpheous/work/websites/testproject

# Set mode rwxrws--- the '2' sets the 's' sticky bit,
# which causes all files and folders created in "project"
# to inherit the same group.

(This may not be the best way to configure this specific app, but I think it's a reasonable guess. I'd also recommend moving that out of your home directory... that just complicates trying to keep your personal home directory secure while giving the webserver access to write to part of it.)

As for keeping Apache from serving up files in those directories, that's already done... your document root is defined as project/web. That only gives access to files at that point and below... the log and cache folders are already excluded.

Ubuntu – What permissions are needed to write a PID file in /var/run

By default, you can only write to /var/run as a user with an effective user ID of 0 (ie as root). This is for good reasons, so whatever you do, don't go and change the permissions of /var/run... Instead, as root, create a directory under /var/run:

# mkdir /var/run/mydaemon

Then change its ownership to the user/group under which you wish to run your process:

# chown myuser:myuser /var/run/mydaemon

Now specify to use /var/run/mydaemon rather than /var/run.

You can always test this by running a test as the user in question.

Best Answer

Related Solutions

Security – Apache service server demon priviiges (with respect to web directory structure, permissions and security)

Ubuntu – What permissions are needed to write a PID file in /var/run

Related Topic