I’m relatively new to Linux and am having a great deal of confusion about setting up the “proper” access/permissions for Apache and PHP in the DocumentRoot (/srv/www/htdocs) and its subdirectories as well as any special directories for include/mysql password files behind the root directory, such as /srv/www/includes or srv/www/logs. If I understand it correctly, when Suse 11, Apache and PHP are initially installed, everything is setup as owner=root and group=root. As apache takes over it changes and runs under owner=www and group=wwwrun. What is the secure way to run these processes?
As an example, I’m using a PHP IDE (ZendStudio) setup in my /home directory. I am able to write and test all of the code I choose to but can’t save any files as I am running under my user account. I read about and tried using chown -R /srv/www to change the owner to my userID and the Group to user. It fixed my problem of saving my code but making all of the directories group as user seems too un-secure to me.
I also need to be able to read and write to files in a couple of directories behind the actual web root, /srv/www/logs and etc. If my scripts try to write logs or create files there they fail because they don’t have write permissions.
I’m sure there is not an easy answer as I have searched everywhere and read a lot of books and tutorials but haven’t been able to put it all together in my head. All links, opinions or expertise is welcome. I’ve even tried to hire a Linux guy to come and help me with this stuff and haven’t found one who knew enough to make it all happen.
You may have noticed, when you rent space on a server (i.e get web hosting on the net), they set up an account and make the document root ain the home directories of tht account and attach it as a “Virtual Server”. My point is that even though it’s a normal user’s account, it’s quite secure – Apache has quite some safeguards built in. Indeed one could argue that it’s in some senses more secure to have the Virtual Server running differently from root. Anyway, I use a virtual server and set up a directory under htdocs which is chowned to my username. Apache runs user www there and it all hangs to gether well. My configuration might give you a few more ideas, or you could just copy it because it works very well. I have 3 different developing sites in that rig in different Virtual Servers under htdocs. Have a look here: HowTo: Configure a Linux Apache Web Server on Suse/openSUSE (including SSI and CGI)
It’s good to have the files being served owned by some user other than wwwrun and group other than www. In fact the user and group should not be wwwrun and www so that the webserver cannot overwrite the files, in case there is a bug. The exceptions are the files/directories that must be writable, e.g. for uploads.
Swerdna, it’s very curious you responded because it is your article I found the chown command recommending using my own userID as owner and user as group. I have done that and it has taken care of my access to being able to save files from withing my IDE anywhere in the structure of the DocumentRoot path.
As I tried to explain in my first post but probably not to clearly, I need my PHP scripts, whether from within my IDE or just runnning as a script from a browser to allow me to write files “within” the Path of the DocumentRoot.
/srv/www/htdocs /srv/www/logs
In the two paths above, the document root is under htdocs, of course, but I am trying to write files in directories under www up inside the DocumentRoot path such as log files and other data which I don’t want anyone to have access to except the scripts that use them.
If I understand correctly, all of the Directories I am writing to have read, write,exec permissions for owner which is me. Then why can’t my php scripts write to files within those directories? I guess I don’t understand what my php scripts have as default permissions and what user/group they run under.
Do I need to set up a different owner and group for PHP or the individual scripts I am running or do I have to give some kind of write permissions to each individual Directory or files as it is created?
I hope this is understandable, I’m having trouble putting it into words.
As I confessed earlier, I’m definitely not an advanced Linux user. So let me see if I understand what you are saying.
When I changed the ownership to all of the directories starting with /usr/www and below with the chown -R command to my userid as owner and the user group for group I believe it left the world as is which is read only. Which is good because all of the directories I own need to be read only for the web server/PHP to run correctly or is it just good practice?
But I would then have to change the, what, both the owner www and group wwwrun on all directories I want to write to or do I have to leave the owner as me and change the group to wwwrun on the directory?
I hope that made sense? Believe me your help is really insightful. I’m the kind of person who isn’t satisfied with only getting an answer and moving on but I love to learn how things really work. I have been trying to figure this out for a long time, you have really opened my eyes. I’m sure I don’t understand it all but I’m definitely on my way.
If you have a directory owned by e.g. john:users in the tree below the document root and you have a file in there being written to by wwwrun:www there are several ways that can happen without error.
The directory has permissions drwxrwxrwx and the file has ownership john:users and permissions at least rw-rw-rw-
The directory has permissions drwxrwxrwx and the file has ownership wwwrun:www and permissions at least rw-r–r–
That’s how I do it.
You can also have the directory owned by wwwrun:www with permissions drwxr-xr-x and file owned by wwwrun:www with permissions rw-r–r–
I think – it’s all a bit fuzzy now that I’ve written it – the top two work for me because I can create files in there as the administrator john:users and the web server create files in there – don’t know about security of that.
You spoke of setting permissions on directories from the document root and below. Will it work the same way setting up write access to directories at the same level as htdocs or above. Such as
Remember this principle: on a Linux/Unix filesystem, every object—file or directory—has its own ownership and permission information.
So even though you changed all the directories under DocumentRoot to be owned by you with chown -R, you can then go and change specific subdirectories to be owned by wwwrun and therefore writable by the webserver, if the owner write bit is on. And yes, this applies to anywhere else on the filesystem.