[SOLVED] How to co-own the /var/www directory so I can use Filezilla in SSH mode?

[sKunKbad]

I have figured out that if I CHOWN the /var/www directory that I can use Filezilla in SSH mode to move files back and forth easily from my home computer. Another person suggested that if Apache/PHP needs to write to a file in the www directory that it would no longer be able to. So, I'm guessing that CHOWNing the directory was the wrong thing to do, and wondering if I should join the www-data group, or what is the proper way of handling this? Was the person that suggested that Apache/PHP would no longer be able to write to the www directory correct?

[trq]

what is the proper way of handling this? Was the person that suggested that Apache/PHP would no longer be able to write to the www directory correct?

 

Yes. However, joining the www-data (the apache user group) group isn't a good idea, nor is having /var/www owned by that group.

 

What I normally do is create a new group (www), I then chown /var/www to root:www and join the www group. I would then chmod /var/www 775. This gives you permissions to write to the directory.

 

From there, I simply make any directories that need to be written to by php (file uploads, fwrite etc etc) owned by www-data. The least directories owned by this group the better.

[sKunKbad]

...www-data. The least directories owned by this group the better.

 

Is this because if a malicious user somehow got control of Apache they could overwrite anything in a directory that was owned by www-data?

[trq]

...www-data. The least directories owned by this group the better.

 

Is this because if a malicious user somehow got control of Apache they could overwrite anything in a directory that was owned by www-data?

Indeed.

[steviewdr]

Try using the chmod +t option so that any files created by anyone in /var/www are automatically created 775.

Note: not recommended. Use suPHP or suExec to have apache change owner etc.

 

See: http://wiki.kartbuilding.net/index.php/Chmod#Make_a_Sticky_Directory_or_File

 

-steve

[trq]

Try using the chmod +t option so that any files created by anyone in /var/www are automatically created 775.

 

The +t option wont automatically make files 775. Permissions given to files are set by your umask setting.

 

Another option when working with groups of people is to set the group id bit so that all files / directories within will be owned by the same group. eg;

 

sudo chown root:www /var/www
sudo chmod 2775 /var/www

 

Now, if I (as user thorpe belonging to the group www) create any file / directory within /var/www it will be owned by thorpe:www, and providing my umask is set to 0002 (default on most systems) files will be 664 while dirs will be 2775 (same as /var/www).

[steviewdr]

Yes, I got my wires crossed badly there.

 

chmod 2775 /var/www

or

chmod g+s /var/www

 

I'm not so sure about the umask of 0002 been default. I think it could be 0022 for debian and ubuntu.

 

-steve

[trq]

I'm not so sure about the umask of 0002 been default. I think it could be 0022 for debian and ubuntu.

 

Yeah, my bad. I meant 0022. I actually use 0077 these days without issue.