Geek Answers Handbook

What are the best methods for permissions for directories supporting Apache?

Sometimes I want to allow users to upload files through Apache. There are two different ways I could set permissions so that Apache can write downloaded files to a directory.

  • I can get the Apache user to act as the owner of the directory so that it looks like this:

    drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles

  • I can provide write permission for "others", where Apache is one of the others:

    drwxr-xrwx 35 egbert admin 1190 Mar 9 13:17 uploadedfiles

Is one of them safer than the other?

+6
unix apache permissions
source share
5 answers

The most restrictive access , in this case exclusive access to www/admin with a resolution of 0750 , is always the most secure . Please note that in the permission mask above, users who are neither www nor admin members are not allowed to access the contents of the directory at all; this means reducing the likelihood that an unauthorized party registered in the system will gain access to potentially confidential information uploaded by users.

Remember that on most * nix platforms you also have a third, extremely flexible option , i.e. setting an ACL using setfacl . An ACL is a superset of what can be achieved using regular resolution bits and ownership methods. ACLs are an option when confronted with complex security settings (including permissions for each user, default owners, etc.), but you may need to first add acl to /etc/fstab in the mount options of the volume on which your directory is located, see man mount .) You can use the ACL if two or more users need access to the directory in question without being members of, say, the admin group.

+4
source share

Two questions are asked here: first, who else (if anyone) needs access to these files? If there are other processes that act on these files, with whom do they work, and how will they interact with the selected solution? If there are no other processes or users that access the files, I would go in order to make the apache user the owner, like everything that is needed, and this follows one of the oldest security principles - only people who need access to there is something.

+2
source share

If the system is used for other purposes, you should probably avoid granting permissions through "others." Permission permission here basically means that everything that runs on this computer, or access to this computer will have rights to these files.

In addition, you can create an additional group and make apache a member of the group and those in the admin area, and change the group's membership in this group and grant permissions for this group. If you are using a group, you probably also need to set the setgid bit in the directory. When the setgid bit is set, any created files will receive the same group membership in the parent directory.

+1
source share

The general rule with security is the least privilege. You want to use the lowest possible permissions. In this case, the first option (writable by apache) means that the directory can only be written if your system was compromised by the apache user, while using option 2 (writable by everyone), any account can be compromised and write to it a directory. In this case, I would go with option one:

drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles

+1
source share

Granting read access to others is also a security risk. For example, Wordpress has a file containing the database username and password.

+1
source share

More articles:


All Articles