Web Server Permissions

Setting permissions for a web server that hosts pages for multiple users can be tricky. There are several issues that need to be addressed.

  • Any user scripts must be able to write files to the user directories.
  • The web server must be able to read files from the user directories.

User Script Write Permissions

The first issue is the easiest to deal with. If a user script is allowed to run directly with the permissions of the web server, then the user script can read any files the web server can, and can write to any location the web server can. To be secure, a user script should be run with the permissions of that user instead of those of the web server. This can be accomplished with tools such as suexec or by running FastCGI as the user directly.

Web Server Read Permissions

The second issue is a little bit trickier. There are a couple ways to allow the web server to read the user files, but some of them open other files to be be potentially accessible as well.

  • Change the user's files to be owned by the www-data group.
  • Add the www-data user to the user's group.
  • Use ACLs to allow only the www-data user access to certain files.

Changing File Group Ownership

One method to make the user's files readable by the web server is to change the files to be owned by the group that the web server is running as, such as www-data. This can be automated by setting the document root to be owned by www-data and then setting the SGID bit: 

chgrp www-data /home/USER/public_html
chmod g+s /home/USER/public_html

New files and directories created under the public_html directory will be owned by the www-data group. However, if the user changes the group of a file, the user can't change the group back to www-data unless he or she is a member of that group. Also, for the web server to read the files, the home directory must at least have the execute bit set. 

adduser USER www-data
chmod go+x /home/USER /home/USER/public_html

By adding the user to the www-data group, the user can now read the web files of other users and other users in the www-data group can read the web files of this user, possibly including data files that may have passwords or other sensitive information in them. This could be solved by not adding the user to the www-data group and manually fixing the group ownership of public html files as needed.

Setting the execute bit on the user's home directory is needed for the web server to read the files under /home/USER/public_html. However, this will allow other user's to enter into the home directory. Any files under the home directory with world read permissions will be readable by other users. This can be fixed by removing world read permissions from desired files, but some applications may create files with such permissions by default and the permissions would have to frequently be checked and fixed.

Adding www-data to the User's Group

Another solution can be to add the www-data user to the user's group instead of the other way around. Then, the web server can read the files from the user's home directory because it is a member of that user's group. 

adduser www-data USER

Advantages

  • This method does not require the home directory to have world execute permissions, only user and group execute permissions.
  • The user files do not have to be owned by the www-data group. They can be read by the web server because the www-data user is a member of the user's group and the user's files have group read permissions.

Disadvantages

  • If the system limits the number of groups a user may be a member of, this approach may not be good for a system that is serving many users.
  • A compromised web server may be able to do more damage this way as it can access all the files of the users instead of just the files owned by the www-data group.
  • This only works on systems where the user has their own private group.

Using Access Control Lists

If the system supports it, ACLs are the best method to use. With an ACL, the owner and group of the files and directories remain the same, but additional entries can be added to allow the www-data access. Also, home directory execute permissions can be given to the www-data user only instead of all users. 

setfacl -m u:www-data:x /home/USER

To allow the web server access to read files, simple grant the www-data user read access to the entire document tree, or just the portions that are needed. 

setfacl -R -m u:www-data:rX /home/USER/public_html

To allow newly created files and directories to be readable by the www-data user, a default ACL can be added. This will cause any new files and directories to have the read and execute permissions for www-data. When creating a file, the mask is set in such a way that, by default, it only has effective read permission, while directories have read and execute permissions. 

setfacl -R -m d:u:www-data:rX /home/USER/public_html

Advantages

  • There is no need to change the group ownership of the files to be owned by the www-data group, or to add the www-data user to the user's group.
  • There is no need to allow world execute permissions on the home directory or any other directories.
  • As a result of using ACLs, only the www-data user, and not all other users, can traverse into the user's home directory.

Disadvantages

  • This method requires that the filesystem and kernel support ACLs and that the user have access to the tools to manipulate ACLs.