I understand the access rights to folders inside the apache web server in ubuntu, how to make friends with the user and www-data?

M

muhasa2020-05-15 03:10:33

linux

muhasa, 2020-05-15 03:10:33

The people, never an admin, according to the instructions from digital ocean, assembled their servers for very local tasks and then came across strange behavior - I did something wrong according to the instructions and now I have a conflict between the user in the system and the user of the www-data web server .

Essence - the standard apache is configured, there is a folder /var/www , inside the sites folder.
There is a user muhasa , there is a user www-data .

If the folders are created by the muhasa user , then the web server cannot write to the site folders, there are no write permissions.
If folders are given to the user www-data , then muhasa , on behalf of which I always work, cannot git'om or composer'om there is nothing to create.
In one instruction I read that the www-data user should be added to the muhasa group , in another instruction, on the contrary, add muhasa to the www-data group . At first I did this, then that way and combed my turnips - but how is it canonically correct?
From the point of view of security or some other factors that I, from the position of a neophyte in server matters, cannot know about.
You can link to a suitable instruction / article.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

H

hint000, 2020-05-15
@hint000

how is it canonically correct?

Correctly so as to minimize unforeseen problems.
muhasa is essentially an admin, and theoretically the rights for him (and for his group) can be in different parts of the system where the web server does not need access. So adding www-data to the muhasa group is risky. You need to add muhasa to the www-data group .
Now the situation is different. Let's say there is still the same muhasa admin . But besides that, there is pupkin - a user with minimal rights, but still he needs access to only one of the folders inside /var/www - to his site. If you add pupkin to the www-data group, then this Pupkin can destroy someone else's site or gain access to someone else's data. In this case, on the contrary, it is safer to add www-data to the pupkin group .
Now you understand that there is no universal-canonical option , depends on the context. Therefore, admins cannot write instructions for all cases.

S

Sanes, 2020-05-15
@Sanes

As a human being, run php and there will be no problems with rights.
FastCGI, PHP-FPM, Apache mpm-itk.

A

AUser0, 2020-05-15
@AUser0

For this, a special Apache module called mod_suexec was invented, just your case "run a specific site under the specified user".

A

Alexey Sundukov, 2020-05-21
@alekciy

I'll supplement hint000's answer a bit . If you are already worried about security, then you need to run the backend (for example, PHP) from the owner's account (for example, through PHP-FPM). In your case it is muhasa . In a web server (for example, nginx) runs as its own user and has read-only rights. In this case, the web server user is included in all user groups.
As a result, we get the following: the web server runs under its own personal account. The backend cannot start scripts from this account. Therefore, it is not possible for one user to run a script to read another user's files (for example, a file with passwords to the database). It turns out extremely safe and easy to operate and configure.
In your case, you need to do this:

install nginx;
php run via php-fpm with muhasa rights ;
add nginx to the muhasa group ;
for the /var/www/site_muhasa folder, set permissions to 2770

You can link to a suitable instruction / article.

Well, here is the finished set of commands on the 28th slide . In general, here the whole scheme is given with examples: How to avoid Permission denied on project files and ...