jonesypeter
Posts: 83
Joined: Fri Aug 02, 2013 3:07 pm

/var/www/html permissions

Fri Jul 22, 2016 5:00 pm

Hello,

I have setup an Apache / PHP / MySQL server on my Raspberry Pi 3.

My issue is with permissions. I have searched the web and can't seem to find a clear answer. There seem to many different suggestions.

I want to be able to be able to save files in this directory and any sub folder I create in the future, and use FileZilla to be able to transfer files from my developer machine (I'm connecting via SFTP).

In the future this will be outward facing so I need it to be secure as well. I assume I use a combination of CHOWN and CHMOD?

Thanks in advance

ChownClown32
Posts: 1
Joined: Fri Jul 22, 2016 5:07 pm

Re: /var/www/html permissions

Fri Jul 22, 2016 5:27 pm

Hello,

I've never setup an FTP (or SFTP) server, so I'm not sure about FileZilla's access to the folder.

However, if you use sudo chmod -R 777 /var/www/html, the folder AND any new subfolders should be accessible.
For FileZilla, my guess is that you will have to create a user dedicated to FileZilla and then allow that user access to /var/www/html.

Best of Luck,
ChownClown32

pksato
Posts: 273
Joined: Fri Aug 03, 2012 5:25 pm
Location: Brazil

Re: /var/www/html permissions

Fri Jul 22, 2016 6:56 pm

Hi,
Its is simple.
On normal situation, http daemon run as some user and group, www-data on debian (raspbian).
Standard html files are stored on /var/www/, owned by root:root, with permissive permission, all can read, but only root can write.
To ordinary user write to /var/www need to takeover it. Supposed the use is pi.
sudo chown -R pi:www-data /var/www
Also, need to set user and group permission:
sudo chmod u+rxw,g+rx-w,o-rwx /var/www
Now, /var/www can be read,write and chdir by user pi, group www-data can chdir and read. Other not have access.
sudo chmod g+s /var/www
Any new file created on /var/www belong to group www-data.
If have files on /var/www, change user and group, and allow to group www-data read.
For file chmod u+rw,g+r-xw,o-rwx
For directory chmod u+rwx,g+rx-w,o-rxw
Now, user pi can manipulate files on /var/www and httpd can read, but not write.

User avatar
rpdom
Posts: 11808
Joined: Sun May 06, 2012 5:17 am
Location: Essex, UK

Re: /var/www/html permissions

Fri Jul 22, 2016 7:12 pm

Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.

User avatar
jojopi
Posts: 3007
Joined: Tue Oct 11, 2011 8:38 pm

Re: /var/www/html permissions

Fri Jul 22, 2016 8:04 pm

rpdom wrote:Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.
No. Firstly, that is not easier. The default ownership of /var/www/html is root:root, so adding pi to group www-data achieves nothing unless you also "mangle" the permissions.

Secondly, if you are going to change the permissions so the webmaster does not have to be root, it is much better to avoid giving Apache itself write access to the files it is serving. In the event of any minor exploit down the line, someone will replace your website with an "pwned by" message.

So, the files should not be owned by user www-data, and should be readable but not writeable by group www-data. pksato's solution is ideal, and there is no benefit to adding pi to the group.

(If none of the files are sensitive then they can also be made readable to all, and you do not need to worry as much about getting them in the right group.)

jonesypeter
Posts: 83
Joined: Fri Aug 02, 2013 3:07 pm

Re: /var/www/html permissions

Tue Jul 26, 2016 8:39 am

Thanks for all the replies.

I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??


Are there any issues with doing it this way:

sudo chown www-data:www-data /var/www
Now we will allow the “www-data” group permission to write to this directory.

sudo chmod 775 /var/www
Finally we can add the “Pi” user to the “www-data” group.

sudo usermod -a -G www-data pi

Peter

User avatar
jojopi
Posts: 3007
Joined: Tue Oct 11, 2011 8:38 pm

Re: /var/www/html permissions

Tue Jul 26, 2016 5:28 pm

jonesypeter wrote:Are there any issues with doing it this way:
sudo chown www-data:www-data /var/www
That is really not the best. There appears to be a common misconception that everything to do with the web should be owned by www-data. Actually it is quite the opposite.

The purpose of Apache running as its own user, and group, is to limit the damage that an attacker can do if there is a security flaw with it or your PHP applications. The www-data user has a shell of "nologin", no access to sudo, is not a member of any groups except its own, and does not own any files or even its own home directory /var/www. Basically it cannot write to anything except /tmp. As far as possible, you want to keep it that way.

Your web site files in /var/www/html should be owned by the user who normally edits them, which may as well be "pi". That will make maintaining the site perfectly convenient. Apache needs to be able to read the files, but it should not be able to write to them.

(Now, in some cases you may need to give www-data write access to specific subdirectories. For instance, if your web site includes a form where users can upload files, and the files are too big to simply store in the mysql database, you may need to write them to disk. Or if part of your site is self modifying, like a wiki, www-data will need to be able to write to that. Any writeable parts should be kept as separate as possible, and preferably not publicly visible.)
I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??
"chown user:group …" sets the user and group ownership of files. Then you can set separate permissions for the user, group members, and others using chmod.

I do not understand how the idea of adding pi or other users to the www-data group became so pervasive. It is certainly never necessary, and I am not sure it is ever more convenient. Even in complex cases, such as wanting multiple people to be able to edit the same site, it would be better to create a dedicated group for the purpose, rather than overloading www-data.

rpiuser2016
Posts: 42
Joined: Tue Jan 12, 2016 1:53 pm

Re: /var/www/html permissions

Fri Nov 17, 2017 10:52 am

I am also having a problem with permittions to /var/www/html

I have a simple task, that makes a snapshot from local camera and moves it to /var/www/html/images:

Code: Select all

#!/bin/bash
/usr/bin/raspistill -w 800 -h 600 -ae 32,0xff,0x808000 -a 8 -a "Localcam %Y-%m-%d %X" -o /var/www/html/images/localsnap.jpg
Then I am starting this task from bash:

Code: Select all

/usr/bin/raspistill -w 800 -h 600 -ae 32,0xff,0x808000 -a 8 -a "Localcam %Y-%m-%d %X" -o /var/www/html/images/localsnap.jpg
,
everything is fine, but then I am trying to start this script via crontab -e using this:

Code: Select all

*/5 * * * *  /home/pi/smartdacha/localsnap.bash
I am receiving a dead.letter:

Code: Select all

mmal: main: Error opening output file: /var/www/html/images/localsnap.jpg~
No output file will be generated
Why?

PS users PI and ROOT added to a group www-data

rpiuser2016
Posts: 42
Joined: Tue Jan 12, 2016 1:53 pm

Re: /var/www/html permissions

Mon Nov 20, 2017 10:30 am

So, the right answer is:

Code: Select all

*/5 * * * *  sudo /home/pi/smartdacha/localsnap.bash

User avatar
RaTTuS
Posts: 9587
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: /var/www/html permissions

Mon Nov 20, 2017 11:19 am

rpiuser2016 wrote:
Mon Nov 20, 2017 10:30 am
So, the right answer is:

Code: Select all

*/5 * * * *  sudo /home/pi/smartdacha/localsnap.bash
no
the right answer is
sudo crontab -e
and use the roots crontab if it really has to be run as root
or
make the file /var/www/html/images/localsnap.jpg owned by pi

you dont really want to use sudo in a crontab IMO
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

rpiuser2016
Posts: 42
Joined: Tue Jan 12, 2016 1:53 pm

Re: /var/www/html permissions

Mon Nov 20, 2017 11:43 am

Code: Select all

*/5 * * * *  root /home/pi/smartdacha/localsnap.bash
Like this?

User avatar
RaTTuS
Posts: 9587
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: /var/www/html permissions

Mon Nov 20, 2017 12:59 pm

no
sudo crontab -e
*/5 * * * * /home/pi/smartdacha/localsnap.bash
it will run as root as
sudo contrab -e edit the roots crontab
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

User avatar
DougieLawson
Posts: 30430
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: /var/www/html permissions

Mon Nov 20, 2017 4:08 pm

rpiuser2016 wrote:
Mon Nov 20, 2017 11:43 am

Code: Select all

*/5 * * * *  root /home/pi/smartdacha/localsnap.bash
Like this?
That works if you create it in /etc/cron.d
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

Since 2012: 1B*5, 2B*2, B+, A+, Zero*2, 3B*3

Please post ALL technical questions on the forum. Do not send private messages.

Return to “Beginners”

Who is online

Users browsing this forum: Bing [Bot] and 46 guests