There are lots of urban legends around the intrincate complexities of setting up a web server in order to allow more than just one person to work with it. In fact, there are lots of bad habits, unfortunately very well established, like the “make your files writable == chmod 777 rule” which are just plainly Very Bad Ideas, and are also consequences of not understanding how things work.
So how do things work?
The main goal is to be able to add and modify files in the web server, regardless of which user does it. And the solution is just a combination of appropiate permissions and groups:
- Identify which user is executing apache in your server. For example, in an ubuntu machine it is usually www-data.
- Identify which users need to be able to read, write and delete files and directories inside the web root. For example, there could be a couple of users called foo and bar. Both need to be able to change files in the server, whether they were created first by them or not.
- Add foo and bar to the www-data group.
- For fixing possible glitches with permissions, do this:
- sudo chgrp -R www-data /var/www # change all the files’ group to www-data
- sudo chmod g+w -R /var/www # allow people in the group to write to the files
- sudo chmod g+s -R /var/www # set the group id bit, so newly created files and folders inside the folders will inherit the group id of their container
Now, with this set up, everybody in the www-data group can modify stuff in /var/www, and newly created files will belong to the www-data group. And, of course, apache will be able to read and modify those files, so all should work nicely.
The only problem you can find is that when new files are created or copied they don’t get the write permission for its group. A solution could just be to do a chmod g+w right after creating it (that’s what I’m doing currently); advanced solutions will involve modifying the mask used to deal with files in the user profile.
As you see, this is a very easy process – it just requires a bit of attention to detail when setting up the server, and saves lots of headaches later. It is mostly useful for people with a dedicated server, or with an in-house machine, like the ubuntu box we have, where we can modify permissions, ownerships, groups, etc, at our will.
If you are in a shared hosting solution, I hope your hosting sets up things properly, so you will be able to avoid most of the cases where you need to do a chmod 777 in order to have apache writing stuff to folders that you, as a user, created. It is not that difficult, as you see!
Unfortunately most of the times they set things like this:
- apache is in its own group: apache
- user accounts are in their own group: foo
- stuff created by users, and the very folder for the user files, do not have the GID bit
So apache can read stuff which users upload, but it can’t modify or write to those folders because apache and the user are in different groups. And the traditional solution is to give permissions to everybody. Which, if you have attacks like this one, may allow the attacker to modify the whole hosted tree, which proves that using chmod 777 systematically is a Very Bad Idea.