Welcome! Log In Create A New Profile

Advanced

Permission on /var/www folder

Posted by zeromaster 
Permission on /var/www folder
December 04, 2015 07:39AM
Hello everyone!

I need to know if making www-data owner of the full /var/www map with the following permissions is safe;

When I do ls -l in my var/www map I get the following results;
drwxr-sr-x 5 www-data www-data 4096 site1
drwxr-sr-x 5 www-data www-data 4096 site2
drwxr-sr-x 5 www-data www-data 4096 site3
drwxr-sr-x 5 www-data www-data 4096 site4
drwxr-sr-x 2 www-data www-data 4096 HTML

My last site was hacked so I want to be sure this time.

Used the following commands (Ubuntu)
sudo chown -R www-data:www-data /var/www
sudo chmod 0755 -R /var/www
sudo chmod g+s -R /var/www



Edited 2 time(s). Last edit at 12/04/2015 07:45AM by zeromaster.
Re: Permission on /var/www folder
December 05, 2015 10:12AM
It is safe, as only the owner has write permissions. Of course, nothing is safe, if the scripts (Perl, PHP, etc.) you run on it are unsafe. May I ask, why the sticky bit (+s)?



Edited 1 time(s). Last edit at 12/05/2015 10:12AM by Fastidious.
Re: Permission on /var/www folder
December 05, 2015 11:39AM
Owner != nginx
nginx only read rights

If nginx runs as owner with rw rights your allowing too much.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Permission on /var/www folder
December 09, 2015 06:32AM
Fastidious Wrote:
-------------------------------------------------------
> It is safe, as only the owner has write permissions. Of course,
> nothing is safe, if the scripts (Perl, PHP, etc.) you run on it are
> unsafe. May I ask, why the sticky bit (+s)?


What do you mean with sticky bit (+s)? Im sorry to ask, but im not expierenced enough with permissions, thats why I ask my question here. I want to be sure it is safe.
Re: Permission on /var/www folder
December 09, 2015 06:33AM
itpp2012 Wrote:
-------------------------------------------------------
> Owner != nginx
> nginx only read rights
>
> If nginx runs as owner with rw rights your allowing too much.


So is this setup safe or not, because I don't really understand what you are saying haha.
Re: Permission on /var/www folder
December 09, 2015 06:55AM
zeromaster Wrote:
-------------------------------------------------------
> itpp2012 Wrote:
> -------------------------------------------------------
> > Owner != nginx
> > nginx only read rights
> >
> > If nginx runs as owner with rw rights your allowing too much.
>
>
> So is this setup safe or not, because I don't really understand what
> you are saying haha.

If you don't know what your doing hire someone who does, there are already too many systems out there getting hacked due to the lack of simple secure management and it's basic understanding.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Permission on /var/www folder
December 12, 2015 07:13AM
itpp2012 Wrote:
-------------------------------------------------------
> zeromaster Wrote:
> -------------------------------------------------------
> > itpp2012 Wrote:
> > -------------------------------------------------------
> > > Owner != nginx
> > > nginx only read rights
> > >
> > > If nginx runs as owner with rw rights your allowing too much.
> >
> >
> > So is this setup safe or not, because I don't really understand
> what
> > you are saying haha.
>
> If you don't know what your doing hire someone who does, there are
> already too many systems out there getting hacked due to the lack of
> simple secure management and it's basic understanding.

Well thanks for this helpfull answer..
You are telling me the owner shouldn't be Nginx, but in my setup www-data (nginx) is the owner. So how and in what should i change it.
Re: Permission on /var/www folder
December 12, 2015 07:47AM
zeromaster Wrote:
-------------------------------------------------------
> Well thanks for this helpfull answer..
> You are telling me the owner shouldn't be Nginx, but in my setup
> www-data (nginx) is the owner. So how and in what should i change it.

Remove the write/exec right(s) from all objects except the ones it really needs like logfiles/pid.
In normal operation nginx should not be allowed to write anything anywhere.

---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 310
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready