Re: Permissions on /var/www
Shouldn't be owned by www-data so apache can write there? On Fri, Aug 14, 2009 at 11:06 PM, James Dinkel jdin...@gmail.com wrote: 755 owned by root.root On Fri, Aug 14, 2009 at 4:11 PM, Michael S. Mason midnite...@me.comwrote: Hello Community Team: What is the default permissions for /var/www (?) Should this be set to any of the following: 775= user can exec, read and write, group can exec read and write, and all other users can read and execute. 755= same as above, but group can only read and exec. 777= all users on your machine can do anything in files/dirs set with this acl. Remember, even if you are the only physical user on the machine, all processes (apache, ftpd, postfix, etc) are users on your machine and will be able to do bad stuff if 1) the code is buggy and happens to try to delete everything, or 2) if the process gets owned by evil hacker eddie. Thanks! Michael -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- -- The only way of discovering the limits of the possible is to venture a little way past them into the impossible. Sir Arthur C. Clarke -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
On 17. aug.. 2009, at 13.43, Armindo Silva wrote: Shouldn't be owned by www-data so apache can write there? No. Allowing the apache user to change or delete its website is no good and allows for much easier hacking/defacing the site(s) on the box. If the apache user cannot write to /var/www, a security bug in the web server won't allow the hacker write access to /var/www, so less harm done. roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
Hi, better would be to let the subdir under /var/www to be owned by user.apachegoup and set to 755. This way, each user can manage his contents and apache can only read them and show their contents to visitors. Giorgio Il Monday 17 August 2009 14:18:38 Roy Sigurd Karlsbakk ha scritto: On 17. aug.. 2009, at 13.43, Armindo Silva wrote: Shouldn't be owned by www-data so apache can write there? No. Allowing the apache user to change or delete its website is no good and allows for much easier hacking/defacing the site(s) on the box. If the apache user cannot write to /var/www, a security bug in the web server won't allow the hacker write access to /var/www, so less harm done. roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
IMHO I feel that the current permissions of root:root 755 are sufficient. Should a user/application have specific requirements then this can be easily changed. Regards, Charles Hooper Giorgio Zarrelli wrote: Hi, better would be to let the subdir under /var/www to be owned by user.apachegoup and set to 755. This way, each user can manage his contents and apache can only read them and show their contents to visitors. Giorgio Il Monday 17 August 2009 14:18:38 Roy Sigurd Karlsbakk ha scritto: On 17. aug.. 2009, at 13.43, Armindo Silva wrote: Shouldn't be owned by www-data so apache can write there? No. Allowing the apache user to change or delete its website is no good and allows for much easier hacking/defacing the site(s) on the box. If the apache user cannot write to /var/www, a security bug in the web server won't allow the hacker write access to /var/www, so less harm done. roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
I've found putting the web root in user space preferable to /var/www. Since many users have multiple websites I place each web tree under /home/user/public_html. Still leaves rafts of security question for which I find no complete solution other than virtual private web servers but if I remove shell and ftp won't let them browse directories I can find some peace. On Mon, Aug 17, 2009 at 11:54 AM, Charles Hooper choo...@plumata.comwrote: IMHO I feel that the current permissions of root:root 755 are sufficient. Should a user/application have specific requirements then this can be easily changed. Regards, Charles Hooper Giorgio Zarrelli wrote: Hi, better would be to let the subdir under /var/www to be owned by user.apachegoup and set to 755. This way, each user can manage his contents and apache can only read them and show their contents to visitors. Giorgio Il Monday 17 August 2009 14:18:38 Roy Sigurd Karlsbakk ha scritto: On 17. aug.. 2009, at 13.43, Armindo Silva wrote: Shouldn't be owned by www-data so apache can write there? No. Allowing the apache user to change or delete its website is no good and allows for much easier hacking/defacing the site(s) on the box. If the apache user cannot write to /var/www, a security bug in the web server won't allow the hacker write access to /var/www, so less harm done. roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- http://ls.net http://drupal.ls.net The path to God starts with a simple act of kindness. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
On Mon, Aug 17, 2009 at 12:00 PM, Alexander Kraev alexander.kr...@gmail.com wrote: Hi, It depends on web-server architecture and how many sites you are going to run inside /var/www. root:root is good for /var/www if you are running many sites in /var/www. Let's say: /var/www/example.org /var/www/example.net /var/www/sub.example.org Each of these directory has to be owned as www-data:www-data if you use only www-data user to manage all virtual hosts and unix_user:www-data in case of multi-user virtual host based web server. It's a quick tip, all depends on your needs and web server's architecture. Each of these directory has to be owned as www-data:www-data This is absolutely not true, and a bad idea for reasons already pointed out in this thread (Roy Sigurd Karlsbakk's email). Only set www-data as the owner when a web application specifically calls for it and only on the folder or file that it calls for. For instance, say a web application requires the web server to have write access to /var/www/myapp/uploads/. Then keep /var/www owned by root.root and perms set to 755, and change just the uploads folder to be owned by www-data.root (or www-data.www-data, or root.www-data with 775 perms, it's all the same). If you do want users without root privileges to be able to modify the directories, then that is ok give them permissions to write to whatever they need, but you do not want to give www-data any more than read permissions unless your web application specifically calls for it. Brazen -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
Hi Brazen, Right you are, that was not an appropriate example. I meant that all virtual host under the /var/www has to be owned by the same user and group www-data in case if you have only one user to manage many virtual hosts. www-data as an owner of root directory is not a secure option. Sasha James Dinkel wrote: On Mon, Aug 17, 2009 at 12:00 PM, Alexander Kraev alexander.kr...@gmail.com mailto:alexander.kr...@gmail.com wrote: Hi, It depends on web-server architecture and how many sites you are going to run inside /var/www. root:root is good for /var/www if you are running many sites in /var/www. Let's say: /var/www/example.org http://example.org /var/www/example.net http://example.net /var/www/sub.example.org http://sub.example.org Each of these directory has to be owned as www-data:www-data if you use only www-data user to manage all virtual hosts and unix_user:www-data in case of multi-user virtual host based web server. It's a quick tip, all depends on your needs and web server's architecture. Each of these directory has to be owned as www-data:www-data This is absolutely not true, and a bad idea for reasons already pointed out in this thread (Roy Sigurd Karlsbakk's email). Only set www-data as the owner when a web application specifically calls for it and only on the folder or file that it calls for. For instance, say a web application requires the web server to have write access to /var/www/myapp/uploads/. Then keep /var/www owned by root.root and perms set to 755, and change just the uploads folder to be owned by www-data.root (or www-data.www-data, or root.www-data with 775 perms, it's all the same). If you do want users without root privileges to be able to modify the directories, then that is ok give them permissions to write to whatever they need, but you do not want to give www-data any more than read permissions unless your web application specifically calls for it. Brazen -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Permissions on /var/www
755 owned by root.root On Fri, Aug 14, 2009 at 4:11 PM, Michael S. Mason midnite...@me.com wrote: Hello Community Team: What is the default permissions for /var/www (?) Should this be set to any of the following: 775= user can exec, read and write, group can exec read and write, and all other users can read and execute. 755= same as above, but group can only read and exec. 777= all users on your machine can do anything in files/dirs set with this acl. Remember, even if you are the only physical user on the machine, all processes (apache, ftpd, postfix, etc) are users on your machine and will be able to do bad stuff if 1) the code is buggy and happens to try to delete everything, or 2) if the process gets owned by evil hacker eddie. Thanks! Michael -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
