Sunday, 16 January 2011

Pains and Permissions on Web Folders

When you develop web sites in Linux and haven't used it much before, you might find certain things that don't work properly, files don't write or can't be edited or at the other end of the scale, you might have lots of file access open which shouldn't be. Basically, the Linux security mechanism is very simple, everything being treated as a file and it describes permissions for 3 levels of user: the owning User, the Group and (Other) users. Each of these levels can have permission to read and/or write and/or execute the given file. For instance, if you open a console somewhere and type ls -l, you might see something like this:

drwxr-xr-x 6 root root 12288 2011-01-15 12:47 Downloads

The letters at the beginning of the line describe firstly that this is a directory and then the read/write/eXecute permissions for each of Owner, Group and Others. For instance, in this instance the owner can read, write and execute whereas everyone else can only read or execute it. In the case of a directory, execute doesn't mean anything.
This is important because depending on the user and group of the file, you might find that you cannot write something even if you are an admin user. For instance, in the above example, root is the owner and group for this file so if I attempt as user "luke" to write this file, I will not be permitted to do it. If you have unpacked an archive (for instance a PHP website framework) into the /var/www directory, you will probably have used sudo and therefore the files will be root:root by default. The first thing you should do afterwards therefore is change these to be owned by the web server account which is called www-data by default in the Apache web server. We do this by changing ownership (the chown command) like this:

sudo chown -R www-data:www-data ./MyNewSite

The sudo ensures you will have permission to carry out the change and the -R applies the change recursively into the directory you specified. In this case we are assigning the owner to be the USER www-data and the group to be the GROUP www-data (same name, different things). Obviously you could assign different owners or groups than www-data but I find this is easiest in my web directory.
You will now probably face another problem in that even if you are a member of the www-data group (if not, add yourself to it) that the group permission on most files by default is read-only which means as "luke" I still cannot modify these files without using sudo or kdesu to invoke the program. You could change the ownership of the files to "luke" but the easiest thing is to modify the files again but rather than changing ownership, you want to change access modifiers (using chmod) so that the members of the www-data group can also modify these files. We do this:

sudo chmod -R g+w ./MyNewSite

Again, the sudo is to ensure you are allowed to do it and the -R is to recurse directories. Be careful since Linux treats r and R differently and using the wrong r might do something different than expected.

Assuming now that Luke is in the www-data group, I will be able to read AND write any files in my new site but they are still owned by the web server which can access them as required.

Once you have a finished site, it is worth locking things down again and perhaps setting the permissions to a+r-wx which will mean the files are all read only. This will not work if some of the files need to be written by the web server (i.e. log files etc) so be careful what you change. At least make all php files (and any configuration such as connection strings if not php) as readonly.
Post a Comment