Hi,
I have dedicated server with LAMP installed.
There is a domain hosted there and particular user created for this domain. This user has SSH and FTP for domain folder.
Let’s say we have domainuser which is belongs to domainusergroup.
So this domain folder /public_html is accessible only for domainuser and domainusergroup.
Apache user has only read permission there.
But my site need to write some files in a few directories and it seems that apache user has no such privileges.
So my question is how to allow apache to read/write/execute for some folders?
Thank you in advance.
I’m not sure who you mean when you say “apache” or “apache user”, but you can take whatever files you need edited, and add another group to them. Root remains owner, but another group can (r/w/x or whatever).
Or you can add this other user to a new group, who is then added with only certain permissions on these special files (if you wanted write but not execute for example).
User under which is apache running
Can I just add “apache” user to domainusergroup and set permission to domainusergroup to r/w/x to particular folder. Is this method is secured enought?
Is the any idea how is a shell syntaxis will look like for such operations?
User under which is apache running
Ah ok, makes sense… now, what that user is actually called will depend on your Linux flavour. I run Ubuntu (Debain flavour) so my apache is called “www-data”. That’s its group and I can’t seem to find any specific user for it on my system (maybe it really is also user: www-data?). On other systems it may be user: apache and group: somegroup.
So, find out what your apache userid (effective user id likely) is on your system.
While it’s running you could
ps aux | grep apache2
Can I just add “apache” user to domainusergroup and set permission to domainusergroup to r/w/x to particular folder. Is this method is secured enought?
Or whatever it’s running as, I would think so. Now I wonder why apache doesn’t have the permissions it needs now?? Likely security reasons, so at the very least, limit the folders as much as you can… or see if there’s some other way around that.
This is what I used (as root):
# chgrp -R www-data /var/www
to add the “www-data” group to where I keep my HTML files (/var/www)
however I didn’t need to do that for Apache… I did that for me (as user). Likely what you did for your user.
So actually now that I’m thinking…
DON’T add apache to your user’s group. Instead, just give Apache rights to only those specific folders.
# chmod 770 /specific/folder/file
And then add apache’s own group (whatever it’s called on your system) to those specific files.
That depends on where directory you want to make writable to apache is located. If it is in the public_html directory it’s not really secure. If it’s “one up” from the public_html that’s secure enough.
For example, assuming your public_html is located in /var/www/public_html, making /var/www/public_html/uploads writable by the apache user is not a good idea, but creating a directory that is not publicly available, like /var/www/uploads and making that writable by apache, is fine.
Doesn’t a script (cgi) usually do all the writing instead of Apache touching anything itself (for mentioned security reasons)?
And, yeah, agreed with your post!
Depends on the setup, but normally the cgi process is fired by/embedded in apache, so it also runs using as the apache user.
The exception is when you use fcgi and suphp, then the scripts are run under the user that owns the script.
There might be other exceptions, but I only know about suphp 