NYCPHP Meetup

[nycphp-talk] Webserver file access

Kenneth Dombrowski kenneth at ylayali.net
Fri Aug 17 12:45:14 EDT 2007


On 07-08-17 07:35 -0700, Donna Marie Vincent wrote:
> Does this sound unreasonable, or is it just me?

updating a web site should not require root 

but, since you do have root on the server, you can do this: 

1. if your site is not owned by a dedicated user + group, I would
recommend setting it up; it is easy to do.  Start by creating a
non-system user & group (this varies with different OSes), on most
linux distros this should do it: 

$ sudo useradd -d /var/www/example.com example

then: 

$ sudo chown -R example:example /var/www/example.com 

i don't give my site users (e.g. "example") passwords, they have no need
to log in interactively.  the -d flag to useradd sets the directory to
use for the user's $HOME, and the -R flag to the chmod command
recursively sets owner:group properties of all files & directories below
the path specified 


2. add yourself to the website user's primary group

$ sudo vi /etc/group 

add your username to the "example" group:

example:x:1001:donna 


3. make sure your website files are group writeable 

$ sudo find /var/www/example.com -type d -exec chmod 2775 '{}' \; 
$ sudo find /var/www/example.com -type f -exec chmod 0664 '{}' \; 

the first command recursively makes all directories group writable, and
traversable + readable by everyone (incl. the user your apache runs as),
and sets the "sticky group" bit, I think it's called, so new files and
directories will be owned by the containing directory's gid (rather than
the gid of the user doing the writing) 

the second command recursively makes all files group writable and
readable by everyone.  if you have any command line or cgi scripts which
need to be executable, you will have to restore the -x bit

$ sudo chmod 0775 /var/www/example.com/scripts/myscript.pl 

note all users with an account on the machine will be able to read the
files as well, but since apache must have access in any case, there's
really no way around that; at least for the files that make up your
site.  for files apache does not need access to, replace the last bit
with zero in any of the octets above

$ sudo chmod 2770 /var/www/example.com/privatedir 


3. you can now upload directly to the file's final destination.  you can
create a symlink from your $HOME to the site's root directory if it makes 
it easier 

$ cd && ln -s /var/www/example.com 

you now also have a mechanism in place to allow other developers to
update the site without giving away root: just add them to the group 


finally, I agree with Chris that anybody doing serious work should be
using version control, but that is the next step, first you should have
your file permissions in order , and a reasonably good understanding of
what the commands above do, and why you want to do it.  also, use sudo. 

hth, 
kenneth 





More information about the talk mailing list