File permissions; Should my www-folder content be owned by www-data?

Question

This might be a noob question, but can't find an answer anywhere.

I have a problem, which Another file permissions problem have helped me to ALMOST solve.

I have created a user in linux (danny) which has sudo access. I have also created a new group which name ALSO is danny, and added the user danny to that group. This group has sudo (root) access.

I have all files and folders in my www folder owned by danny/danny group.

I have an image-upload code which is php. This code cannot upload images to a folder called "images" folder which is under the www folder, UNLESS I give the images folder 777 permissions.

So, I have followed the answer on the linked question, and have figured out that the user which the upload-script is run as is "www-data".

According to the answer on the link to the other question I posted, I need to add www-data to a group... But I am stuck here...

Which group should I add to? What should I do from here?

Any tips are appreciated.

Btw, here is some info about www-data and danny

  id www-data:
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  id danny
  uid=1000(danny) gid=33(www-data) groups=33(www-data)

Thanks and if you need more input, just let me know...

Answer 1

(I'm rewriting this answer after 13 years because it was insecure.)

You could create a new group, that is shared between danny and web server. Then assign folders to that group. Let's call it danny-web.

groupadd danny-web

Add dany and www-data users to the new group.

usermod -a -G danny-web danny
usermod -a -G danny-web www-data

Now you only need to assign folders to group danny-web, and give permissions to the group.

chown danny:danny-web myweb
chmod 750 myweb
chmod 770 myweb/uploads

This is a folder where www-data only needs read-only access:

-rwxr-x---  danny    danny-web   myweb

This is a folder where www-data needs read-write access:

-rwxrwx---  danny    danny-web   myweb/uploads

Answer 2

Actually, your problem is that you need the user www-data to have write-access to the images folder.

And you probably want user danny to have full access to the folder as well.

EDIT: Additional word of warning: having files writeable by your webserver is always a security risk. Be sure to check the files that are written, and make sure people can't upload or change code. Summary: * Don't let your webserver run scripts that are writeable, or in a writeable folder. So make sure only the images/ folder is writeable, and doublecheck that everything that is written, is actually an image!

Either:

1. Set www-data as owner of the folder, and chmod u+rwx www.
2. Set www-data as part of a group X, and change the owner of the folder to X, and chmod g+rwx www.
3. Set the folder world-writeable on your server (in some cases, an acceptable solution too, but less secure).

Answer 3

In general, NO, your content should not be owned by www-data. The only content which should be owned by www-data are the specific files that you need web applications to be able to modify and specific directories that they need to be able to create or delete files in. The rest should not be owned (or writable) by www-data because every file that www-data can write to is a file that an attacker who compromises your web server (including any scripts or web apps that it is running) will be able to replace with whatever malicious data he may choose.

It is especially important that www-data not own or be able to write to any executable file (e.g., scripts, flash files, documents in Word or other formats with macro capabilities, etc.) because replacing them with malicious executables would provide an easy way to attack users' computers or the web server itself.