what chmod and owner:group settings are best for a web application?

security apache-2.2 chmod php chown

we are configuring a PHP web application on CentOS and have all our files currently in /var/www/html/project/

Apache is configured to run as apache:apache and has access to the directory above. Right now our files and directories have the following rights:

owner = root group = apache

DIRECTORIES: drwxr-x--- root apache

FILES: -rw-r----- root apache

Is this a safe setup? Or is it better to use a new user e.g. "project" to be the owner of all files and directories?


Solution 1:

It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.

If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.

Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.

Solution 2:

You're definitely playing it safe.

Your settings are going to keep you from being able to create additional folders in you DIRECTORIES should you need to on demand via apache.

I'd suggest that you use the following permissions:

DIRECTORIES: drwxrwx--- root apache
FILES: -rw-rw---- root apache

Add your developers to the apache group so that the can continue to write to these files should they log in via ssh or ftp.

You can have liberal file permissions if you can trust what users are running them. If you're code is solid then you can allow the apache group to do more with permissions.

Edit: In general give apache:

rwx if it needs to create folders
rw if it needs to create files
r if everything is static

In the end what it boils down to is only giving the permissions that you must. Make them as conservative as possible and open them up as you develop your application if you need to.

One little thing about groups. You'll see some examples that show this (these are correct settings, too):

DIRECTORIES: drwxrwxrw- root somegroup
FILES: -rw-rw-r-- root somegroup

These permissions are required for a web application to run because the apache user is not part of the group permissions. In that case, apache is considered everyone so you need to set permissions to allow everyone to interact with your website. An by everyone I don't mean everyone in the world (ie anonymous). I mean everyone one who is currently a user on your server (look in /etc/passwd to get a list).

Related

ODBC: trouble removing system DSN
What is the rootvg in AIX?
Where is index.html for IIS7?
managing high load of a postgresql database
Is it possible to use custom script for authentication with PAM?
How to physically secure a public terminal? [closed]
Backup security: Why same keys to backup and restore?
Multicast in Rackspace cloud
Managed Switch Question?
How to mount a drive on startup in Ubuntu?
How GZipped contents are transfered on the web?
WebDav rename fails on an Apache mod_dav install behind NginX