ChenXiu Posted May 1, 2021 Share Posted May 1, 2021 After searching for a secure and decent-looking user/apache permission structure for my server's /var/www/html directory, I found an expert-looking answer on askubuntu . Now my directories and files are 760 and 640 respectively, with a "user:www-data" ownership, like this: 760 drwxrw-s--- Billybob:www-data html 640 -rw-r----- Billybob:www-data file.php It appears to work scrumptialiciously. Any previous permission/ownership structure I had presented problems, like php not having directory/file write permissions, or worse, I would not have permissions to write, etc.Question 1: What do you all think of this? Are there any pitfalls I'm overlooking?Question 2: On a shared server I'm on, all my directories and files are 755/644 with ownership at user:user (Billybob:Billybob). How the heck is PHP able to write to directories with this structure? ~ Thank You ~ p.s. please forgive my terrible english. I am not from around here. Quote Link to comment Share on other sites More sharing options...
requinix Posted May 1, 2021 Share Posted May 1, 2021 For both questions it depends on the server setup. Even with shared hosting there are multiple approaches. The questions you need answers to are: 1. What user is PHP running as? 2. What group is PHP running as? 3. Do you have a personal "billybob" group too? (Probably.) 4. What other groups do your user account belong to? On shared hosting, it's somewhat common for PHP to run under your own user account. It has exactly the same access to files and directories as you do. It sounds like that is the setup you have. If that's the case then there isn't much point messing around with permissions: you and PHP are the same user so it doesn't matter what group you assign. In fact, it's quite possible that by changing group ownership to www-data you're creating a problem, because if your account is also in the www-data group then that means other users on the server are probably also in the www-data group, and changing group ownership away from your own personal group you've decreased security. But that could easily not be true - I think it would be weird and unlikely that you are a member of www-data, but if you aren't then I don't know how you changed group ownership to it... Quote Link to comment Share on other sites More sharing options...
ChenXiu Posted May 5, 2021 Author Share Posted May 5, 2021 Thank you, here are the answers to your questions: When I log in as $USER ("BillyBob") and run <?php echo exec('whoami'); ?>Result: PHP is running as BillyBob When I log in as root and run <?php echo exec('whoami'); ?>Result: PHP is running as root When I run "groups php"Result: groups: ‘php’: no such user When I run grep php /etc/groupResult: (no result) When I run "groups BillyBob"Result: Billybob sudo www-data I am a member of www-data because I always add myself to www-data whenever I set up a server because that's what all the experts on the internet say to do and the internet is always right. I am also a member of AARP but that is a different story. To clarify (my english very poor) I have my own server but I also have a website on a shared hosting environment where every single file and every directory is owned by user/group "Billybob:Billybob" and I can't figure out how the heck on the shared hosting server PHP or Apache can run on everything on Billybob:Billybob files. (I don't 'need' to know, I'm just dying of curiosity). Did you know that there are over 1,000 tutorials on the internet on how to configure permissions ownership and groups on LAMP setups, and I have read every one of them and they are all different. Some moron expert will say to chmod everything to 777 and another expert will say to lock down everything so you can't even write files to your own server. I wish someone smart from the PHP Freak would please write the 5 steps it takes to do it right. I can do that for you. I can write out the 5 line program condensed from the 1,000 tutorials on how I set up my server and then you can criticise it to pieces and I will keep fixing it until you are happy as a pickle and then in the end we will have a wonderful easy 5 line system on how to set up an Apache Server that we can point to when someone asks the same question again in the future and we can say "do some research you silly person this question has already been asked and answered over here by Billybob." That will be fun and then my school will give me a mascot scarf and free ticket to the dance. Quote Link to comment Share on other sites More sharing options...
requinix Posted May 5, 2021 Share Posted May 5, 2021 35 minutes ago, ChenXiu said: When I log in as $USER ("BillyBob") and run <?php echo exec('whoami'); ?>Result: PHP is running as BillyBob When you log in as a user and then ask the system who you are, it will tell you that you are the user you logged in as. I'm not talking about shell access. I'm talking about PHP when it runs on your website. 35 minutes ago, ChenXiu said: When I log in as root and run <?php echo exec('whoami'); ?>Result: PHP is running as root You have root/sudo access on a shared hosting server? Are you sure it's a shared hosting server? As in there are multiple people with access to the same server your site is on? 35 minutes ago, ChenXiu said: When I run "groups php"Result: groups: ‘php’: no such user PHP the application. If your setup uses mod_php then PHP runs as whatever user Apache runs as. If your setup uses php-fpm then PHP runs as whatever user php-fpm is set to run as. 35 minutes ago, ChenXiu said: When I run grep php /etc/groupResult: (no result) That's... not the right thing to do. 35 minutes ago, ChenXiu said: I am a member of www-data because I always add myself to www-data whenever I set up a server If you set up the server yourself then you are not, in fact, on a shared hosting server, and therefore most of what I said was a waste of your and my time. 35 minutes ago, ChenXiu said: because that's what all the experts on the internet say to do and the internet is always right. And they're right in this situation. And by "right" I mean "wrong". There's basically no reason to put yourself in the www-data group, like, ever. 35 minutes ago, ChenXiu said: To clarify (my english very poor) I have my own server but I also have a website on a shared hosting environment where every single file and every directory is owned by user/group "Billybob:Billybob" and I can't figure out how the heck on the shared hosting server PHP or Apache can run on everything on Billybob:Billybob files. (I don't 'need' to know, I'm just dying of curiosity). Okay, now I'm confused. Are you running your website on a shared hosting server or not? I don't care about what you're doing locally or on a test server or whatever. I mean, the place where your website is running, is it "shared hosting"? 35 minutes ago, ChenXiu said: Did you know that there are over 1,000 tutorials on the internet on how to configure permissions ownership and groups on LAMP setups, and I have read every one of them and they are all different. Some moron expert will say to chmod everything to 777 and another expert will say to lock down everything so you can't even write files to your own server. The first guy is wrong. The second guy is mostly right because "you can't even write files to your own server" is partly what you actually want to be the case. 35 minutes ago, ChenXiu said: I wish someone smart from the PHP Freak would please write the 5 steps it takes to do it right. Like I said in my first reply, it depends. Primarily on dedicated vs. shared hosting. Just like how the question "how do I put my car in reverse?" sounds really simple but actually has multiple different-but-similar answers. Quote Link to comment Share on other sites More sharing options...
ChenXiu Posted May 6, 2021 Author Share Posted May 6, 2021 (edited) 7 hours ago, ChenXiu said: To clarify (my english very poor) I have my own server but I also have a website on a shared hosting environment I am quoting myself, here is what I said in my previous post (Quoted above, and below): "I have my own server" -but- "I also have a website on a shared hosting environment" (and also in my first post, I also said): "I have my own server but I also have a website on a shared hosting environment" Like "I have an apple, and I have an orange." I have both an apple and an orange. I have my own server (which I have root), and I also have a website on a shared hosting server. I am sorry to confuse you, my language can be very confusing. On my own server, I installed PHP w/ FastCGI. I did not know that I should know what PHP (FMP / FastCGI) is running as. I will go figure that out at once. Please hang by. Edited May 6, 2021 by ChenXiu Quote Link to comment Share on other sites More sharing options...
ChenXiu Posted May 6, 2021 Author Share Posted May 6, 2021 I tried to type this in my last post but your forum rushed me and said "NO MORE EDITING" so now I have to make a new post. But that is good. More content = better forum. That is why lay people simply answer questions but Admins say "Why do you want to do this?" because it adds content. So I make you happy, I give you two posts. Now you have double good content. Okay this is what I found: I see that in the www.conf in my pool.d, PHP is user="www-data" and group="www-data" Should I be terribly upset about this? Or happy? PHP is "www-data" and belongs to the group "www-data". So the reason I added myself to www-data is so I can edit my own files. But if I go into my files and do chown -R Billybob:Billybob, then Apache and PHP will get angry because they want to own it too, right? So I make it good shared owner "Billybob:www-data" and that way PHP is happy and Apache is happy. And directory / file permissions are 740 and 640 which is better than the 755 and 644 on the OTHER-server-which-I-do-not-own-but-have-a-website-on. Okay what can I monkey with and make it better. I want best configuration on my own server ( we will ignore the other-server-which-I-do-not-own-but-have-a-website-on because I don't have root on that one and I can't change anything anyway, and I don't care about that). Quote Link to comment Share on other sites More sharing options...
requinix Posted May 6, 2021 Share Posted May 6, 2021 Apache and PHP do not want to own files. They want to be able to read files, and just like books from a library, they do not have to own the files to be able to read them. For the shared server, you need to find out whether PHP runs as its own user or as your same user account. You must answer this with a webpage, not from a login shell: a webpage that echo exec("whoami"), or uses phpinfo(), or some other method. If PHP runs as the same user as your own account: - All files and directories should be owned by your user account and group - File permissions should be 0640 or 0644 - Directory permissions should be 0750 or 0755 - If you need to support file uploads, nothing special has to be done. Do not use 0777 permissions. If PHP runs as a different user from your own account, such as "www-data": - All files and directories should be owned by your user account and group - File permissions should be 0644 - Directory permissions should be 0755 - If you need to support file uploads: create a special directory for the files (such as "uploads") and set permissions 0777. For your own server, if you want it to have the same website as the shared server then you should make it use the same Apache + PHP setup (mod_php or php-fpm) and with a different user from your regular account (such as "www-data"). Using the same setup is a good way to know that what works on this server will also work on the shared server. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.