What rights and owner should be assigned to a folder for security if they are edited from a script?

A

antobra2017-06-20 13:40:20

linux

antobra, 2017-06-20 13:40:20

Prompt how to make from the point of view of safety the following.
Given:

There is a folder /folder/website.ru/public_part_of_scripts = Rights 755 and 644 owner www-data
There is a folder / folder/data/
secret_files_with_passwords_etc = Rights 755 and 644 owner www - data available for the public part)
Files from /folder/data/ are owned by www-data , as they are edited from the script.

Problem: the security of files in the /folder/data folder, because in order to edit these same files from a script in a public folder, you have to make the www-data owner.
Question: How safe is this and what can be done to make it more secure?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

B

Boris Korobkov, 2017-06-20
@antobra

All scripts, and even more so in the public part, should not have write permission for www-data! Otherwise, they will flood the backdoor. For scripts, make yourself the owner, and allow www-data and nginx root to be read-only.
If pictures are uploaded to a separate folder, let www-data have write permissions. But properly configure nginx so that everything from this folder is given without executing php.
Store all other editable data in the database.
Obviously, this should not be on shared hosting, but at least VPS.