Fixing permission settings on html folder

server 18.04 permissions apache2

I've just setup a new Droplet over at DigitalOcean before the weekend and have been configuring to my needs. I've been following this previously asked question multiple owner of same folder.

I also found another Q/A on this same forum this weekend talking about security implications and how to properly secure the www folder to minimise any potential risks.

  • What I've done so far is created a new group webmasters, where I've added myself, any other people that need access and the www-data user.

  • Applied the setgid bit on the folder sudo chmod g+s /var/www/html so that newly created files and folder belong to the same group to avoid access issues.

Once all that is done, how exactly do I properly secure the /var/www/html folder?

I read somewhere that in a perfect world, the folder would have chmod set to 640 or 2750, and that the www-data user should only have read access, where you manually give it write access to upload folders and so on.

Am I missing something important here?

I'm trying my best to learn.


According to what is already done, and according to our discussion, I think you need to do these steps.

First, it is not required www-data to be a member of the group webmasters. So I think you need to remove it from that group.

The right way to setup permissions to the files and directories separately and recursively is to use find:

# Dial with the permissions recursively
sudo find /var/www/ -type f -exec chmod 664 {} +  # set -rw-rw-r-- for all files
sudo find /var/www/ -type d -exec chmod 775 {} +  # set drwxrwxr-x for all directories
sudo find /var/www/ -type d -exec chmod g+s {} +  # set drwxrwsr-x for all directories

# Dial with the ownership 
sudo chown -R root:webmasters /var/www/ # change user :group for the whole tree of /var/www

# Dial with the directory where `www-data` should have write permissions, e.g. for upload
sudo chown www-data /var/www/data

Thus:

  • The content of /var/www will be initially owned by the user root and group webmasters.

  • The members of the group webmasters will be able to write and modify the content of the directories in /var/www via the group permissons and setgid.

  • www-data will have read permission to the files and read-execute to the directories (note the execute permissions to the directories has different meaning than to the files), via the permissions of the other users. So Apache2 will able to display the content...

  • www-data will be able to write content in /var/www/data, because it is the owner.

Related

Disk space depleting fast - what should I do?
How do I make sure the driver for a TP-LINK tl-wn727n is loaded on boot?
Can I install Unity on 10.04?
Xubuntu - how to use both front and rear audio output?
Is it possible to reset all folder permissions?
My newly added user cannot write to folder
Problem while installing vlc player
NodeJS error "EMFILE, too many open files" on Mac OS
FluentValidation rule for multiple properties
jquery selector to count the number of visible table rows?
Does { } act like ( ) when creating a new object in C#?
Sort array in PHP by value and maintain index association