Fixing permission settings on html folder
I've just setup a new Droplet over at DigitalOcean before the weekend and have been configuring to my needs. I've been following this previously asked question multiple owner of same folder.
I also found another Q/A on this same forum this weekend talking about security implications and how to properly secure the www folder to minimise any potential risks.
What I've done so far is created a new group webmasters, where I've added myself, any other people that need access and the www-data user.
Applied the
setgid
bit on the foldersudo chmod g+s /var/www/html
so that newly created files and folder belong to the same group to avoid access issues.
Once all that is done, how exactly do I properly secure the /var/www/html folder?
I read somewhere that in a perfect world, the folder would have chmod
set to 640 or 2750, and that the www-data
user should only have read access, where you manually give it write access to upload folders and so on.
Am I missing something important here?
I'm trying my best to learn.
According to what is already done, and according to our discussion, I think you need to do these steps.
First, it is not required www-data
to be a member of the group webmasters
. So I think you need to remove it from that group.
The right way to setup permissions to the files and directories separately and recursively is to use find
:
# Dial with the permissions recursively
sudo find /var/www/ -type f -exec chmod 664 {} + # set -rw-rw-r-- for all files
sudo find /var/www/ -type d -exec chmod 775 {} + # set drwxrwxr-x for all directories
sudo find /var/www/ -type d -exec chmod g+s {} + # set drwxrwsr-x for all directories
# Dial with the ownership
sudo chown -R root:webmasters /var/www/ # change user :group for the whole tree of /var/www
# Dial with the directory where `www-data` should have write permissions, e.g. for upload
sudo chown www-data /var/www/data
Thus:
The content of
/var/www
will be initially owned by the userroot
and groupwebmasters
.The members of the group
webmasters
will be able to write and modify the content of the directories in/var/www
via thegroup
permissons andsetgid
.www-data
will have read permission to the files and read-execute to the directories (note the execute permissions to the directories has different meaning than to the files), via the permissions of theother
users. So Apache2 will able to display the content...www-data
will be able to write content in/var/www/data
, because it is the owner.