file permissions security apache - linux

I'm trying to figure out what is the best file permissions/user/groups for files under my document root?
I have the following file structure
/home/user/public_html/
under public_html are all of my php files and directories.
I have one directory /home/user/public_html/files/ where people upload images to that directory.
What is the most secure way to distribute file permissions/groups/user so that apache can properly display the php files and directories?
Should I make public_html owned by apache? What group should I use for public_html?
thanks!

My Favourite mix of permissions for apache is to give it ownership of apache:apache, all folders chmod to 550 or 555, and all files chmod to 440/444. I suggest the following:
/home/user/public_html/ owned by apache:apache with permissions 555 (read/x by everyone)
/home/user/public_html/files/ owned by apache:apache with 775 (read/write/x by root/apache, read/x by all)

First need to find which user running https / apache2 server
ps -aux | grep apache2
Most of times apache or www-data comes
We need to set this user
chown -R www-data:www-data /var/www/html
Then file permission should be 644 and folder 755
we can do that using find command
find /var/www/html -type f -not -perm 644 -exec chmod 644 {} \;
find /var/www/html -type d -not -perm 755 -exec chmod 755 {} \;

Related

Setting multiple file permissions at once using ssh ( recursive folder/file permission )

I am working with digital ocean and WordPress. I have uploaded my theme and my file permissions are all wrong. I know how to set the file permissions individually using ssh but I'm wondering if I can do multiple at once rather than doing each individually. I want to set all folders inside my theme to 755 and all files to 644 (correct me if this is wrong)
Here's what I have done so far; I navigated to my theme folder using ssh then used to following command to set file permissions;
chmod 644 file.php
chmod 755 folder
chmod -R 755 will set these permissions to all files and subfolders in the tree. To set the directories to 755 and either leave the files alone or set them to 644. For this, you can use the find command. For example:
To change all the directories to 755 (drwxr-xr-x):
find /opt/lampp/htdocs -type d -exec chmod 755 {} \;
To change all the files to 644 (-rw-r--r--):
find /opt/lampp/htdocs -type f -exec chmod 644 {} \;
Please try below command for directory
find /var/www/html/ -type d -exec chmod 755 {} \;
Below command is for files permission
find /var/www/html/ -type f -exec chmod 644 {} \;

Unable to configure folder permissions in Ubuntu

I found many related questions and tried to solve the issue but I was not successful. Actually I created an user named "amit" and assigned the group "www-data". I gave permission to the folder using this method
sudo chown -R :www-data /var/www
sudo chmod g+w /var/www
sudo adduser amit www-data
Change folder and file permission recursively:
To change all the directories to 755 (-rwxr-xr-x):
find /var/www -type d -exec chmod 755 {} \;
To change all the files to 644 (-rw-r--r--):
find /var/www -type f -exec chmod 644 {} \;
But in joomla system info when i check i get all directories as non writable.
So I changes this command to
sudo chown -R www-data:www-data /var/www
Surprisingly this worked.
I need to know why the created user didn't work but this one worked, where did I miss something?
Applying chmod 755 (rwxr-xr-x) for directories and chmod 644 (rw-r--r--) for files just makes the writable for the owner, but not for the group. If you want to grant the group write permissions then you need 775 and 664.

Wordpress Linux file permissions and group

I have a Linux server (Debian 7) with lots of users who needs Wordpress. When I create the users what group should they be in? Today I assign them to www-data.
Then they download Wordpress by SFTP and runs the installation.
Which file permissions and user/group should their files have, specially wp-config.php?
Now, users can peek in eachothers wp-config.php from the terminal and read the password. Not very good.
Since the users aren't root they cant change file permissions/owner of wp-config.php which would solve my problem.
You can use this script by Mike Conigliaro for for setting permissions correctly on all wordpress files.
WP_OWNER=changeme # <-- wordpress owner
WP_GROUP=changeme # <-- wordpress group
WP_ROOT=/home/changeme # <-- wordpress root directory
WS_GROUP=changeme # <-- webserver group
# reset to safe defaults
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;
# allow wordpress to manage wp-config.php (but prevent world access)
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php
# allow wordpress to manage .htaccess
touch ${WP_ROOT}/.htaccess
chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
chmod 664 ${WP_ROOT}/.htaccess
# allow wordpress to manage wp-content
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;
This is how I solved it:
Create users in a group "users". Create a script in /etc/cron.hourly that fixes permissions on all wp-config.php-files like this:
for f in locate wp-config.php
do
chgrp www-data $f
chmod 640 $f
done
Works like a charm.

How to secure drupal file with permission?

i'm asking what's the best linux permission to drupal files in the purpose to secure it.
My setting.php is under 444 but the others are 755 .
Thank you
Once finished editing the settings.php file, you should change it to 440 giving only you and the webserver read-only access.
440 is fine for the settings file. For the others do:
Navigate to sites/default folder:
chown -R :www-data files
Then give you and web server read/write permission to files folder ('s' makes the files inside the directory inherit these permissions.)
chmod g+ws files
If you need to overwrite previous created files' permissions do (navigate to sites/default/files):
find . -type d -exec chmod g+ws {} \;
find . -type f -exec chmod 664 {} \;
Now your web server can read/write but not execute files in the files directory.

What files should be writable after Magento installation for security?

After an install / setup of Magento on a LAMP Server, what files should be left writable, readable, and/or executable (by owner, group, public)?
What is optimal for a secure magento server?
All folders should be 775
All files should be 664.
Now the exceptions:
/var should be writable for everyone (777)
/media folder should allow web to write in it.
You can run those if you have SSH access:
find . -type d -exec chmod 775 {} \;
find . -type f -exec chmod 664 {} \;
Atleast that is what Magento Wiki suggest.

Resources