You are not logged in.

#1 2015-10-05 22:31:06

basica
Member
From: Australia
Registered: 2012-10-31
Posts: 217

suggestions/best practice with file/folder permissions on webserver

Hopefully this is the right spot for this. I have been running a webserver for awhile but since I had not needed to be regularly updating files there, I didn't change or want to change the permissions. Now that I will be uploading static html files regularly, I'm looking to find a happy medium between convenience and security (if such a medium exists). By default, the /srv/http folder is owned by the root user and has the permissions 750. I'm looking to change the permissions to 2750 (so that new files will always be readable by the http group), and change the owner to another user which I can log in as and the group to the http user. The files themselves will be set to 640.

The files themselves are uploaded via rsync. How safe is this in contrast to the files and folders being owned by root and is there safer methods that also offer similar levels of convenience for me when it comes to uploading these files?

Having looked it up online, it does appear that what I want to do has been suggested in this popular serverfault answer here and by apache themselves here but I definitely would appreciate the input of users with more experience than I on this.

Offline

#2 2015-10-06 08:52:34

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: suggestions/best practice with file/folder permissions on webserver

I prefer not to tinker around with service data that is not within my home directory, so I consider the most elegant solution to be

  • one "main" server instance running as the http user

  • one or multiple "personal" server instances running as systemd user services

  • the "main" server redirecting connections to the users' servers, depending on the requested host (called "reverse proxy")

This allows each user to fiddle around in their personal server configuration and data without requiring root access. You touch the main server's configuration only if you add a new host/user, otherwise it stays the same, no matter how the content on one of the websites changes. And even if you're the only user on the server, you still don't have to worry about awkward permission issues.

Since you seem to be using Apache, you could try to search for "Apache reverse proxy" - I found this, for example.

Otherwise I heard that nginx is good at this task. I personally use lighttpd, and the setup is rather simple.

Last edited by ayekat (2015-10-06 08:54:33)


pkgshackscfgblag

Offline

#3 2015-10-07 21:00:11

basica
Member
From: Australia
Registered: 2012-10-31
Posts: 217

Re: suggestions/best practice with file/folder permissions on webserver

Thanks for the information, I will definitely check it out. It looks really interesting.

Offline

Board footer

Powered by FluxBB