dumb question about users and permissions.

I have set up an apache server with everything pretty much default. I also set up vsftpd and want to allow users to log in and trasfer files to their respective directories without compromising security. The users will be chrooted to their respective folders and authenticating using using tls.

My question is how should I set up the permission on the files?

for instance my "/var/www/localhost/whatever" folder should have what permissions? Apache will need to be able to read the files to serve on web and each user should be able to acce4ss his files. Should the owner be apache and the group be "group1"

useradd -d /var/www/localhost/whatever -g group1 user1

inside the directory lets say my index.html file what owners should that have?

Is this correct?

index.html apache:group1 with 775 ?

I am really confused on what this should be and would appriciate help. I have read lots on forums and manuals but none clear it up for me.

4 Replies

There are several ways to do it, my favorite is to make all the files owned by their respective users and chmod each user's home directory to 750 (owner read-write, group read-only, and others nothing). Then I setgid all those directories to the Apache group. That way, all new files will be created with the appropriate user as the owner and Apache as the group. Each user can do whatever he wants with his own files, Apache can read all of them, but no user can even see another user's files.

With this setup your PHP scripts (assuming you're using the standard mod_php; please ignore if all your sites are static) will only be able to read from the disk, but not write or create new files. If your users have PHP scripts that need to write to the disk, you should either tell your users to chmod the appropriate files to 660/770 or use a special Apache module such as suexec or suphp.

Don't use 775 or 777 or anything of the sort unless you trust all of your users not to hack each other's sites. The last digit MUST be zero or your users will be able to view each other's files. All the popular CMS's store their DB credentials in plain text! Sure, FTP gives you a chroot, but what about PHP scripts? Sure, safemode and openbasedir can help, but those are stopgap measures and some of them will disappear in the next version. Nothing beats native UNIX permissions.

Ok great that sounds like a plan I will proceed with that. I really only have two people logging in through FTP so I am not too worried about people modifying files but you do make a good point. I will go ahead and proceed because your setup looks like what I need anyway. Thanks for the heads up!

Sorry, I left out an important detail. Chmod'ing to 770 won't do. If you want real security you NEED suexec/suphp. Otherwise the PHP scripts will run as Apache and be able to read everything, as well as write to any directory with 770 perms.

Clever users can bypass open_basedir restrictions:

This is banned

$data = file_get_contents('/path/to/another/users/file');

But this isn't

$data = shell_exec('cat /path/to/another/users/file');

This, of course, can be banned using safe_mode configuration, but who knows if there's another hole, PHP being what it is.

I tried it out and it looks good! Thanks for the help. I set up all directories as 750 and well there are only two people that access these files so I am not too worried about the php scripts since I am the one who writes them…


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct