Permissions on /var/www
Alexander Kraev
alexander.kraev at gmail.com
Mon Aug 17 18:02:58 UTC 2009
Hi Brazen,
Right you are, that was not an appropriate example. I meant that all
virtual host under the /var/www has to be owned by the same user and
group www-data in case if you have only one user to manage many virtual
hosts. www-data as an owner of root directory is not a secure option.
Sasha
James Dinkel wrote:
> On Mon, Aug 17, 2009 at 12:00 PM, Alexander Kraev
> <alexander.kraev at gmail.com <mailto:alexander.kraev at gmail.com>> wrote:
>
> Hi,
>
> It depends on web-server architecture and how many sites you are going
> to run inside /var/www.
>
> root:root is good for /var/www if you are running many sites in
> /var/www. Let's say:
>
> /var/www/example.org <http://example.org>
> /var/www/example.net <http://example.net>
> /var/www/sub.example.org <http://sub.example.org>
>
> Each of these directory has to be owned as www-data:www-data if you use
> only www-data user to manage all virtual hosts and unix_user:www-data in
> case of multi-user virtual host based web server.
>
> It's a quick tip, all depends on your needs and web server's
> architecture.
>
>
> "Each of these directory has to be owned as www-data:www-data"
>
> This is absolutely not true, and a bad idea for reasons already pointed
> out in this thread (Roy Sigurd Karlsbakk's email). Only set www-data as
> the owner when a web application specifically calls for it and only on
> the folder or file that it calls for.
>
> For instance, say a web application requires the web server to have
> write access to /var/www/myapp/uploads/. Then keep /var/www owned by
> root.root and perms set to 755, and change just the uploads folder to be
> owned by www-data.root (or www-data.www-data, or root.www-data with 775
> perms, it's all the same).
>
> If you do want users without root privileges to be able to modify the
> directories, then that is ok give them permissions to write to whatever
> they need, but you do not want to give www-data any more than read
> permissions unless your web application specifically calls for it.
>
> Brazen
More information about the ubuntu-server
mailing list