How to properly set permissions on the web server?

K

karpo5182020-04-07 13:34:54

linux

karpo518, 2020-04-07 13:34:54

After installing the web server, I got used to assigning the owner of the directory containing the site files to the apache/nginx user. That is, if the sites are in /home/user1/www, then I install the nginx user1 user.
It has always saved me a lot of problems. I use only one user, so there have been no problems with this scheme before. However, I understand that such a scheme cannot work correctly for multiple users. Now I'm once again setting up a server on ubuntu + vestacp and I want to do everything "correctly". I left the default user in nginx and ran into the following problems:

1. Folders on the site should be assigned permissions 755. Such permissions do not allow the www-data user to edit and delete files. You can add the www-data user to the user1 group, but you will need to change the permissions on the folders/files to 775/664. Is this correct in terms of web server security?

2. The site engine also creates files, and these files will be owned by www-data. It would be convenient for me to be able to edit these files on behalf of my user. How to achieve this? Now it turns out that I also need to add user1 to the user1 group and vice versa and make sure that the engine also creates folder files with the correct permissions (775/664). I would like to point out that this may not be possible for boxed CMS. But I will only ask how such a system of rights is correct from the point of view of a web server administrator.

3. I needed to run bash commands using the shell_exec php function and I found that the LC_ALL variable for commands launched in this way was not set. I was able to set the value for both root and user1, but there was a problem with the www-data user. I put .bashrc with the export of the necessary variables in the /var/www folder, set /etc/default/locale. But nothing helped. I was prompteduse /etc/environment, but, as I understand it, this is not the best parctices at all, so I preferred to use the setlocale php function to set LC_ALL. The problem is that this function only sets the variable for the PHP environment. The variable in bash remains inaccessible. There may be a way to set a temporary environment variable for bash with shell_exec before executing the actual command, but I haven't figured out how to do it.

So how do you eventually set the rights correctly so that there are no problems with file access, and the LC_ALL variable is not empty?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

O

OnYourLips, 2020-04-07
@OnYourLips

1. Don't care. If the malicious code has penetrated so much that it has penetrated into your application and can execute the code, then it makes no sense to restrict access to files for writing, everything is already as bad as possible.
2. The most correct decision - the engine should not create files. Use dedicated storage. Even WordPress can do this through plugins: https://ru.wordpress.org/plugins/amazon-s3-and-clo...
All code generation caches, if any. warm up beforehand.
3. shell_exec("LC_ALL=<value> <command>");
But it is correct not to use such an interaction interface.

Since in the end it is correct to configure the rights in order to

Correctly not to rake up consequences of a problem. and fix the problem.
I recommend completely restricting write access to all directories and files in the project in order to detect the problem as early as possible. Use repositories for all file saves.

G

Germanjon, 2020-04-07
@Germanjon

1. And how important is it to give rights to 775/664? If my memory serves me, they are issued for several necessary folders, and let the rest sit 755/644.
2. What prevents "point" to change the access rights only to the necessary files before editing?
3. Add a line to the running bash script that sets the desired locale (via export for example) or run the command like this " LC_ALL=somecomand locale "