Granting permission to /var/www/html [duplicate]
I want to stop having to use sudo
everytime I work in /var/www
. How can I do that? I simply want to put all of my sites into this directory and work with them without too much pain.
Most answers here are not written with security in mind. It's good to get a feeling that running sudo
each time is not very wise. If you make a typo (for example a single space in a wrong place, such as recursively deleting / var/www/dir
, which means /
and var/www/dir
, instead of /var/www/dir
—please do not attempt), you might trash your system.
Note: Starting with Apache 2.4.7 / Ubuntu 14.04, /var/www
has been moved to /var/www/html
Adjust the commands in this answer accordingly.
See:
-
Where to place my local website starting with the 2.4.7 version of apache2?
-
Why has the apache2 www dir been moved to /var/www/html?
-
Changing the default document root for HTTP server
Bad ideas:
-
chmod 777
(sagarchalise) - this allows anyone with access to your system write into the directories and files and thereby allowing the intruder to execute any code under thewww-data
user -
chgrp -R www-data $HOME
(cob) - this allowswww-data
to read or write any files in the home directory. This is not keeping the Least Privilege rule in mind -
chown -R $USER:$USER /var/www
(kv1dr) - unless the world has read permissions on/var/www
, the webserver running underwww-data
will not be able to read (serve) the files. If the file is a public-accessible plain HTML document, it might not be an issue if the world can read the file. But if the file is a PHP file containing passwords, it is.
NOTE: in the below solutions, I've granted www-data
write privileges. However, /usr/share/doc/base-passwd/users-and-groups.txt.gz
states:
www-data
Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.
Where possible, do not grant write permissions to the www-data
group. www-data
only needs to be able to read the files so the webserver can serve it. The only case where www-data
needs write permissions is for directories storing uploads and other locations which needs to be written.
Solution 1
Add yourself to the www-data
group and set the setgid bit on the /var/www
directory such that all newly created files inherit this group as well.
sudo gpasswd -a "$USER" www-data
Correct previously created files (assuming you to be the only user of /var/www
):
sudo chown -R "$USER":www-data /var/www
find /var/www -type f -exec chmod 0660 {} \;
sudo find /var/www -type d -exec chmod 2770 {} \;
(even safer: use 640
or 2750
and manually chmod g+w file-or-dir
that needs to be writable by the webserver)
Solution 2
Create a symlink for each project to your home directory. Say your project is located at ~/projects/foo
and you want to have it located at /var/www/foo
, run:
sudo ln -sT ~/projects/foo /var/www/foo
If your home directory has no execute bit (descend) set for other
(for security reasons), change the group of it to www-data
, but set the execute bit only (no read/write). Do the same for the ~/projects
folder as it may contain other projects than www. (You don't need sudo
if you have previously added your user to the www-data
group.)
sudo chgrp www-data ~ ~/projects
chmod 710 ~ ~/projects
Set the group to www-data
on ~/projects/foo
and allow the webserver to read and write to files and files+directories and descend into directories:
sudo chgrp www-data ~/projects/foo
find ~/projects/foo -type f -exec chmod 660 {} \;
find ~/projects/foo -type d -exec chmod 2770 {} \;
Even safer: use 640 and 2750 by default and manually chmod files and directories that need to be writable by the webserver user. The setgid bit should be added only if you want every newly created file in ~/projects/foo
to be accessible by the group.
From now on, you can access your site at http://localhost/foo
and edit your project files in ~/projects/foo
.
See also
- Permissions issue: how can Apache access files in my Home directory?
- Reasons why /var/www should not have chmod 777
Rather than storing my web sites in /var/www I place links there to the sites which are located in my home folder. I can freely edit, or add pages to my sites. When I happy with changes I then FTP to a hosting company where my domain name links.
If you make /var/www writeable by its group and add yourself to the group, you will not have to use sudo while still being fairly secure. Try this:
sudo adduser <username> www-data
sudo chown -R www-data:www-data /var/www
sudo chmod -R g+rw /var/www
You should then be able to edit /var/www/
files without hassle.
The first line adds you to the www-data
group, the second line clears up any files with messed up ownership, and the third makes it so that all users who are members of the www-data
group can read and write all files in /var/www
.
Don'ts
-
Don't set file permissions to 777 (world-writable)
This is a significant security flaw, especially if you enable server-side scripting such as PHP. Unprivileged processes should not be able to write to files that would affect the website or, in the case of server-side scripting being used, execute arbitrary code.
-
Don't add yourself as a member of the www-data group and give it write permissions
The purpose of that group is that it is an unprivileged group that the server processes run as. They should only have read access to the website files where possible, for the same reasons as above.
-
Don't change the permissions of the Apache processes
The Apache child processes run as the
www-data
user and group by default, and this should not be altered. This is just a way of giving them no write permission to the filesystem.In certain circumstances you want your server-side scripts to be able to write to files, in which case only those files should be made writable by
www-data
and care needs to be taken to ensure security.
Dos
-
Set the files to be owned by yourself
If you are the only one, or the usual one, to modify certain files on the website, then it makes total sense just to take ownership of those files. Set their owner to
<your username>
.You don't have to modify the server permissions for this, as the server will continue to get read-only access even when the files are owned by you.
-
Choose a sensible place to house the files (using DocumentRoot)
If
/var/www
doesn't make sense, you are welcome to place them elsewhere. If they are specific to your own development or testing, you could place them in your home directory. Or you can set up some directories in/srv
. -
If you want to give group write access, create a new group for the purpose
Don't re-use a system group, because these are typically designed to have the access they currently have, and no more, for security reasons.
It's this simple. You neither need to enable apache 'UserDir' (not recommended) nor messing up with 'www-data' groups (apache group in case on Fedora)
Just create your project directory inside /var/www/html
cd /var/www/html
sudo mkdir my_project
Then just chown the project directory to your user.
sudo chown your_username my_project
Now you can start working on your project folder as a regular user with any editor, IDE of your choice. No more sudos : )