Web directory file permissions seem insecure by default? maybe...

[ingram]

I'm just going off what I know here, so maybe some of you guys can correct me if I'm wrong.

Using EHCP, all files that are uploaded through ftp have an owner of "vsftpd" and a group of "nogroup".

When thinking in terms of Owner-Group-Other, this leaves the "www-data" user in the Other group. As far as I know, it's basically ok to let the "Other" group have read access to everything in a web root folder. However, I didn't think it was ok to give the "Other" group write permissions on anything. If you are using some time of php or other dynamic web application, this is what you will likely have to do. In my case, I am using Drupal.

Drupal requires certain directories to have write access from the user "www-data", but since the "www-data" user is in the other group, so does "Other", which could be who knows what on a production system.

This seems like an insecure setup to me. It would seem more reasonable if the group were set to "www-data" by default. If that were so, you could have permissions like this:

Owner - vsftpd - write on select folders - always read access
Group - www-data - write on select folders - always read access
Other - 000

But again, I'm not a security expert, this is just the way I thought it should be setup. So if there are any people that know more about permissions than me, feel free to let me know where I'm wrong at.

Restored from old drupal forum, for user uid:4185 username:ingram
You may reset your password to access your new account here.

[ehcpdeveloper]

with new version 0.30 of ehcp, default file ownership is vsftpd:www-data just as you suggested, now being tested as you see on front page of ehcp.net

Restored from old drupal forum, for user uid:4185 username:ingram
You may reset your password to access your new account here.

[ingram]

Awesome, I'll download it and try it out

Restored from old drupal forum, for user uid:1 username:ehcpdeveloper
You may reset your password to access your new account here.

[ingram]

Just set it up, but the issue is still there. Here is my httpdocs directory after uploading drupal 7.8 through ftp:


root@webserver3:/var/www/vhosts/mysite.com/mysite.com/httpdocs# ls -al
total 240
drwxr-xr-x 9 vsftpd www-data 4096 2011-09-13 11:45 .
drwxr-xr-x 5 vsftpd www-data 4096 2011-09-13 11:27 ..
-rw-r--r-- 1 vsftpd nogroup 6780 2011-09-13 11:45 authorize.php
-rw-r--r-- 1 vsftpd nogroup 61959 2011-09-13 11:45 CHANGELOG.txt
-rw-r--r-- 1 vsftpd nogroup 1021 2011-09-13 11:45 COPYRIGHT.txt
-rw-r--r-- 1 vsftpd nogroup 746 2011-09-13 11:45 cron.php
-rw-r--r-- 1 vsftpd nogroup 180 2011-09-13 11:45 .gitignore
-rw-r--r-- 1 vsftpd nogroup 5547 2011-09-13 11:45 .htaccess
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 includes
-rw-r--r-- 1 vsftpd nogroup 550 2011-09-13 11:45 index.php
-rw-r--r-- 1 vsftpd nogroup 1489 2011-09-13 11:45 INSTALL.mysql.txt
-rw-r--r-- 1 vsftpd nogroup 1918 2011-09-13 11:45 INSTALL.pgsql.txt
-rw-r--r-- 1 vsftpd nogroup 714 2011-09-13 11:45 install.php
-rw-r--r-- 1 vsftpd nogroup 1329 2011-09-13 11:45 INSTALL.sqlite.txt
-rw-r--r-- 1 vsftpd nogroup 18254 2011-09-13 11:45 INSTALL.txt
-rw-r--r-- 1 vsftpd nogroup 15214 2011-09-13 11:45 LICENSE.txt
-rw-r--r-- 1 vsftpd nogroup 7816 2011-09-13 11:45 MAINTAINERS.txt
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 misc
drwxr-xr-x 42 vsftpd nogroup 4096 2011-09-13 11:45 modules
drwxr-xr-x 5 vsftpd nogroup 4096 2011-09-13 11:45 profiles
-rw-r--r-- 1 vsftpd nogroup 3582 2011-09-13 11:45 README.txt
-rw-r--r-- 1 vsftpd nogroup 1621 2011-09-13 11:45 robots.txt
drwxr-xr-x 2 vsftpd nogroup 4096 2011-09-13 11:45 scripts
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 sites
drwxr-xr-x 8 vsftpd nogroup 4096 2011-09-13 11:45 themes
-rw-r--r-- 1 vsftpd nogroup 18503 2011-09-13 11:45 update.php
-rw-r--r-- 1 vsftpd nogroup 9035 2011-09-13 11:45 UPGRADE.txt
-rw-r--r-- 1 vsftpd nogroup 2051 2011-09-13 11:45 web.config
-rw-r--r-- 1 vsftpd nogroup 435 2011-09-13 11:45 xmlrpc.php

The group is not set on anything...

Restored from old drupal forum, for user uid:4185 username:ingram
You may reset your password to access your new account here.

[ingram]

This is using the new .30 version. Is there anything I can do to fix this easily?

Restored from old drupal forum, for user uid:4185 username:ingram
You may reset your password to access your new account here.

[keith]

i see where your coming from www-data
i tryed the new Easy Hosting Control Panel out on Ubuntu 16.04.6 LTS (Xenial Xerus)
everything went ok will in the root folder its www-data not root i know how to code stuff up the rest of the files are marked up as root also i 0777 files but the root upload folder file is www-data not root.also when you restart apache on the Panel its rewrites it too www-data after i set this too root call..this not very good and still not been fixed nor any here from here to fix this


Restored from old drupal forum, for user uid:4185 username:ingram
You may reset your password to access your new account here.

[ehcpdeveloper]

As far as I understand, you want file owners as root, is that right ?

From the point of security, having file ownerships as root is not good. Additionally, files that are root, cannot be written through ftp. Thats why, they are www-data. Why you don't want www-data? why are you using root owner for web files ?

Restored from old drupal forum, for user uid:40798 username:keith
You may reset your password to access your new account here.