Linux Web Server Permissions - Best Practices

On a privately owned server with one website, is there any reason the files/directories within /var/www can't be group owned by www-data?

My understanding is that security risks with www-data having write access only arise if you have multiple websites running on the same box.

Solution 1:

The principle of least privilege applies. Only give users the rights they need and no more.

In this case, if apache is only serving up pages, give the user acct no rights to edit. Possible risks include: changing file content or uploading new one; adding executable code to files, etc. These risks exists regardless of whether it is a single site up multiples. If the application has a need to edit a specific file, restrict permissions changes to that file.

Solution 2:

I wrote a simple script for my WordPress site. This script gives Apache only write-access to what it needs to write to. Everything else under the webroot is read-only. I think this is a good step towards a more secure site, and should be practiced.

#!/bin/bash

PATH=/bin:/usr/bin
WEBROOT="/var/www/www.example.com"

UPLOADS="${WEBROOT}/wp-content/uploads"

chown -R nobody:nogroup ${WEBROOT}
find ${WEBROOT} -type d -exec chmod 0555 {} \;
find ${WEBROOT} -type f -exec chmod 0444 {} \;

chown nobody:www-data ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz
chmod 0464 ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz

chown -R nobody:www-data ${UPLOADS}
find ${UPLOADS} -type d -exec chmod 2575 {} \;
find ${UPLOADS} -type f -exec chmod 0464 {} \;

Solution 3:

Even if you have only one website, compromising apache user will enable the hacker to change the files under /var/www if the folder is writable by apache user.

Solution 4:

I wouldn't see why not. If there is one site, this should be ok. But do mind you might want to grant read only to some files. (well whitelist if they need write access :) )