Monday, September 21, 2015

php - Struggling with proper way to setup Permissions on Linux/Apache Web Server



Your expert experience and assistance is great, greatly appreciated here.



I have been running a LAMP server for a long time, yet I still struggle with the best way to set file & directory permissions for FTP and WWW protocol activity.



My Control panel is WHM/cPanel (not that it makes a difference), and out-of-the box:





  • files are owned by the user account setup in WHM (eg, "abc")

  • files have a group setting of "abc" as well

  • file permissions are created with 644

  • directories are owned by "abc"

  • directories have a group setting of "abc"

  • directories permissions are created with 0755



Again, these are the default permission settings.




Now everything is fine with FTP activity, but please advise me if any of these file/directory settings create issues, especially with security.



Here's where my struggle comes into play. I have PHP apps that allow a visitor to create, edit, rename, delete, etc. sub-directories and files in certain selected directories. PHP runs as "nobody" on my server.



So in order to get my PHP/Web apps to work, I have had to:



chown nobody *
chgrp nobody *
chmod 0777 *



to everything in these certain & selected sub-directories.



I know this is probably a huge security whole (so don't ask me for any links :) but how should I set all the permissions to allow my FTP user to do his thing while allowing the PHP apps to do their thing will also "minimizing" any security risks and exposures? I know that big CMS systems like Drupal, Joomla, WordPress and so on, handle this.



Thanks ahead of time for reading through this and offering your expert advice!


Answer



Check this posting from yesterday. It's a useful way to allow both FTP and Apache access to the same files, without either messing with groups or "777" files.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...