jonesypeter
Posts: 83
Joined: Fri Aug 02, 2013 3:07 pm

/var/www/html permissions

Fri Jul 22, 2016 5:00 pm

Hello,

I have setup an Apache / PHP / MySQL server on my Raspberry Pi 3.

My issue is with permissions. I have searched the web and can't seem to find a clear answer. There seem to many different suggestions.

I want to be able to be able to save files in this directory and any sub folder I create in the future, and use FileZilla to be able to transfer files from my developer machine (I'm connecting via SFTP).

In the future this will be outward facing so I need it to be secure as well. I assume I use a combination of CHOWN and CHMOD?

Thanks in advance

ChownClown32
Posts: 1
Joined: Fri Jul 22, 2016 5:07 pm

Re: /var/www/html permissions

Fri Jul 22, 2016 5:27 pm

Hello,

I've never setup an FTP (or SFTP) server, so I'm not sure about FileZilla's access to the folder.

However, if you use sudo chmod -R 777 /var/www/html, the folder AND any new subfolders should be accessible.
For FileZilla, my guess is that you will have to create a user dedicated to FileZilla and then allow that user access to /var/www/html.

Best of Luck,
ChownClown32

pksato
Posts: 273
Joined: Fri Aug 03, 2012 5:25 pm
Location: Brazil

Re: /var/www/html permissions

Fri Jul 22, 2016 6:56 pm

Hi,
Its is simple.
On normal situation, http daemon run as some user and group, www-data on debian (raspbian).
Standard html files are stored on /var/www/, owned by root:root, with permissive permission, all can read, but only root can write.
To ordinary user write to /var/www need to takeover it. Supposed the use is pi.
sudo chown -R pi:www-data /var/www
Also, need to set user and group permission:
sudo chmod u+rxw,g+rx-w,o-rwx /var/www
Now, /var/www can be read,write and chdir by user pi, group www-data can chdir and read. Other not have access.
sudo chmod g+s /var/www
Any new file created on /var/www belong to group www-data.
If have files on /var/www, change user and group, and allow to group www-data read.
For file chmod u+rw,g+r-xw,o-rwx
For directory chmod u+rwx,g+rx-w,o-rxw
Now, user pi can manipulate files on /var/www and httpd can read, but not write.

User avatar
rpdom
Posts: 11566
Joined: Sun May 06, 2012 5:17 am
Location: Essex, UK

Re: /var/www/html permissions

Fri Jul 22, 2016 7:12 pm

Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.

User avatar
jojopi
Posts: 2993
Joined: Tue Oct 11, 2011 8:38 pm

Re: /var/www/html permissions

Fri Jul 22, 2016 8:04 pm

rpdom wrote:Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.
No. Firstly, that is not easier. The default ownership of /var/www/html is root:root, so adding pi to group www-data achieves nothing unless you also "mangle" the permissions.

Secondly, if you are going to change the permissions so the webmaster does not have to be root, it is much better to avoid giving Apache itself write access to the files it is serving. In the event of any minor exploit down the line, someone will replace your website with an "pwned by" message.

So, the files should not be owned by user www-data, and should be readable but not writeable by group www-data. pksato's solution is ideal, and there is no benefit to adding pi to the group.

(If none of the files are sensitive then they can also be made readable to all, and you do not need to worry as much about getting them in the right group.)

jonesypeter
Posts: 83
Joined: Fri Aug 02, 2013 3:07 pm

Re: /var/www/html permissions

Tue Jul 26, 2016 8:39 am

Thanks for all the replies.

I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??


Are there any issues with doing it this way:

sudo chown www-data:www-data /var/www
Now we will allow the “www-data” group permission to write to this directory.

sudo chmod 775 /var/www
Finally we can add the “Pi” user to the “www-data” group.

sudo usermod -a -G www-data pi

Peter

User avatar
jojopi
Posts: 2993
Joined: Tue Oct 11, 2011 8:38 pm

Re: /var/www/html permissions

Tue Jul 26, 2016 5:28 pm

jonesypeter wrote:Are there any issues with doing it this way:
sudo chown www-data:www-data /var/www
That is really not the best. There appears to be a common misconception that everything to do with the web should be owned by www-data. Actually it is quite the opposite.

The purpose of Apache running as its own user, and group, is to limit the damage that an attacker can do if there is a security flaw with it or your PHP applications. The www-data user has a shell of "nologin", no access to sudo, is not a member of any groups except its own, and does not own any files or even its own home directory /var/www. Basically it cannot write to anything except /tmp. As far as possible, you want to keep it that way.

Your web site files in /var/www/html should be owned by the user who normally edits them, which may as well be "pi". That will make maintaining the site perfectly convenient. Apache needs to be able to read the files, but it should not be able to write to them.

(Now, in some cases you may need to give www-data write access to specific subdirectories. For instance, if your web site includes a form where users can upload files, and the files are too big to simply store in the mysql database, you may need to write them to disk. Or if part of your site is self modifying, like a wiki, www-data will need to be able to write to that. Any writeable parts should be kept as separate as possible, and preferably not publicly visible.)
I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??
"chown user:group …" sets the user and group ownership of files. Then you can set separate permissions for the user, group members, and others using chmod.

I do not understand how the idea of adding pi or other users to the www-data group became so pervasive. It is certainly never necessary, and I am not sure it is ever more convenient. Even in complex cases, such as wanting multiple people to be able to edit the same site, it would be better to create a dedicated group for the purpose, rather than overloading www-data.

Return to “Beginners”

Who is online

Users browsing this forum: pcmanbob and 42 guests