Dumb Linux LAMP folder permissions question.

General Questions
#1

I was going to ask this on http://unix.stackexchange.com/ but I realized I might get my face verbally bitten off for being a linux moron and not being able to find the answer online. (I have looked and found lots of information, but it’s conflicting and disjointed for what I’m trying to do)

I need to allow apache to have read-only access to /var/www/html, but I need another user (an ftp user) to have read and write access.

In my limited understanding of linux permissions the two users should be a member of a group, and that group should own the folders, and the permissions set on the group.

But to me this implies that all users with access to a folder must therefore have the same level of access. This is not what I want.

My goal is to use sftp to upload and edit files (from filezilla) but to try and make the server as secure as possible. I will be setting the ftp user to only have access from a given ip address (I know how to do this bit so don’t need help with that)

Also the ftp user should only have access to /var/www/html and anything below it.

Can someone explain how to give different levels of access to different users of the same folders in linux? Also any advice on how permissions should be set on /var/www/html would be appreciated.

The server is centos 6. The web server is apache

#2

I’ve done a bit more reading…

If I set the owner of the folders as the ftp user, and give it read,write…

then put the apache user into a group, set the group to the group owner of the folders, and give that group only the read permission.

Does that sound right?

#3

Every file or folder in Linux has three sets of permissions associated with it: owner, group, and world. These can all be different. So you could make ftp the owner of /var/www/html, and apache the group, and then assign these whatever permissions you like. E.g.,



chown -R ftp:apache /var/www/html
chmod u+rwx /var/www/html
chmod g+rx-w /var/www/html
chmod o-rwx /var/www/html

(It would also be equivalent to just do chmod 750 /var/www/html; I just wrote out the specific options for owner (u), group (g), and other users (o) to be a little more explicit about what was going on.)

By default every user should have a corresponding group of the same name, so you shouldn’t need to create one for apache explicitly.

#4

It’s been a while, but my recollection is that you may want to give the FTP user (content creator) a different directory tree with appropriate user-level permissions and link the content in /var/www/html over to the other directory. I’m pretty sure you can add other content directories in the configuration of Apache.

I dunno. Take my advice on Apache with a lot of salt. I haven’t done it in a long time, and what I did may not really constitute “best practices”. :wink:

#5

This wouldn’t directly solve the problem if the goal is for apache and the ftp user to have access to the same tree; you’d still need to set multiple permissions on the particular directory tree that needs to be shared.

#6

SELinux allows much more granular permission control than the user-group-world model.

Just sayin’.

#7

Actually it is best to NOT make the files in that directory owned and/or writable by the apache process unless absolutely necessary, if there is a security issue you want the daemon to be restricted from changing files.

in the permissions you will notice that there is the “all users” section.

Ideally the FTP user (which I hope you are not using actual FTP, use sftp or scp) will own the files and that users “UMASK” will be set to create files that are world readable and for directories executable if that is what you desire.

the execute permission on directories is needed to list files, that may or may not be functionality that you need.

You can also accomplish this with a common group but people tend to be foolhardy with group write permissions so for non-expert users I would still suggest using the “all users” permission mask.

Edit to add: if you use rsync or scp to push your files you can preserve permissions and ownership…this functionality does not exist in FTP which is an outdated protocol which should never be used for any file transfer that requires a password as that password is transferred in plain text and is trivial to intercept.

#8

You might need to look into using ACLs.

#9

This is basically what Lobsang was trying to get at, and my suggestion was on the same lines: ftp user owns the files, apache group has read-only access. You could certainly use world permissions for that, and in most cases the default permissions for group and world will accommodate this nicely. I just figured Lobsang had some reason to want only ftp and apache to have any access at all.

Also, he did mention he’s using SFTP and not FTP (thank goodness)!

(Less related, but I also hope the ‘P’ in “LAMP” stands for “Python”! :D)

#10

Typically isn’t /var/www/html world readable ? So you set up either the FTP user or a group with the FTP user in it to have write rights, and all users have read access (which includes apache). You deal with the “not allowed out of /var/www/html” by disallowing login for the ftp user and setting up “chroot jail” in the ftp or sshd server (https://serverfault.com/questions/392601/how-to-add-user-with-sftp-ftp-access-to-var-www-html-website-abc-folder-on-a)

#11

And the ‘A’ for Nginx and the M for Postgres…oh wait this is GQ…

Part of my response may have been proselytizing and yes repetitive in an attempt to reinforce those core concepts :slight_smile: My main point is that world permissions may be a good idea mostly due to a very common webdev permissions “fix” which unfortunately tends to be “chmod -R og+w”.

I always like to reduce the blast radius of well intentioned but ultimately bad actions by brilliant individuals working under tight deadlines and with systems that are not in their core areas of expertise.