2

I've just setup a new Droplet over at DigitalOcean before the weekend and have been configuring to my needs. I've been following this previously asked question multiple owner of same folder.

I also found another Q/A on this same forum this weekend talking about security implications and how to properly secure the www folder to minimise any potential risks.

  • What I've done so far is created a new group webmasters, where I've added myself, any other people that need access and the www-data user.

  • Applied the setgid bit on the folder sudo chmod g+s /var/www/html so that newly created files and folder belong to the same group to avoid access issues.

Once all that is done, how exactly do I properly secure the /var/www/html folder?

I read somewhere that in a perfect world, the folder would have chmod set to 640 or 2750, and that the www-data user should only have read access, where you manually give it write access to upload folders and so on.

Am I missing something important here?

I'm trying my best to learn.

Dixos
  • 23

1 Answers1

1

According to what is already done, and according to our discussion, I think you need to do these steps.

First, it is not required www-data to be a member of the group webmasters. So I think you need to remove it from that group.

The right way to setup permissions to the files and directories separately and recursively is to use find:

# Dial with the permissions recursively
sudo find /var/www/ -type f -exec chmod 664 {} +  # set -rw-rw-r-- for all files
sudo find /var/www/ -type d -exec chmod 775 {} +  # set drwxrwxr-x for all directories
sudo find /var/www/ -type d -exec chmod g+s {} +  # set drwxrwsr-x for all directories

# Dial with the ownership 
sudo chown -R root:webmasters /var/www/ # change user :group for the whole tree of /var/www

# Dial with the directory where `www-data` should have write permissions, e.g. for upload
sudo chown www-data /var/www/data

Thus:

  • The content of /var/www will be initially owned by the user root and group webmasters.

  • The members of the group webmasters will be able to write and modify the content of the directories in /var/www via the group permissons and setgid.

  • www-data will have read permission to the files and read-execute to the directories (note the execute permissions to the directories has different meaning than to the files), via the permissions of the other users. So Apache2 will able to display the content...

  • www-data will be able to write content in /var/www/data, because it is the owner.

pa4080
  • 30,621