Search code examples
filepermissionsdirectoryfile-permissions

How to set secure permissions in webserver directory

I really confused about this issue. I read so many tutorials but each one suggest a diferent practice.

I have a webserve in a directory /var/www In that directory each website is in new folder (blog, etc.) I think permissions for folders have to be 755 and files 644, OK. But what about user and groups are owner of this files and folders? I read somepeople say have to be root:www-data other people say www-data:www-data, otherone says not to these practice fore security reasons. Is so complicated for me, because we have to be abble to create files sometimes other times execute processe and at the same time be secure. What is best practice? Anybody could explain me Thanks in advance

Solution

  • This is something where no final answer exists, no "right" or "wrong".

    It is up to your personal philosophy, but maybe a few general rules can help:

    1. always try to grant as little rights as possible to keep security as high as possible without much effort

    2. prefer to separate write and read rights to different roles, ideal are only local accounts being able to write the web resources, whilst the web server process can only read those files.

    3. this does not work for many of the modern "web applications", most of those request write permission for exactly that account. This obviously opens a big security risk, since you have to rely completely on the quality of code someone else implemented. This is a bad situation, especially in the field of web programming, where security hole are per definition accessible from outside. So at least try to limit such rights to those ressources that really need to be writte:

      3.1 grant write permission only to stuff like data folder and maybe an embedded database file

      3.2 grant write access to the implementation files themselves only when really required, for example temporary during an update

      3.3 if possible also try to store runtime data and implementation files of web appliciations as separate locations.

    4. make sure that the http servers process is owned by a local user account that does not have a local login granted (see /etc/passwd, there should be an invalid shell configured, or some similar precaution).

    5. be extremely careful with execution rights. There are only rare occasions where an http server process really needs execution rights on files inside the published documents/files.

    6. do not grant direct access to physical files, always "stream" files (their content) through a handler, so a script that is able to control, authenticate and deny such requests.

    7. activate only those modules and features in your http server that are really required.

    And as always the most important rules:

    1. understand what you are doing, do not blindly follow any explanations, advisories or hints.

    2. check your log files on a regular base and do not push away things that spring into your eyes.