Score:0

Ubuntu

How to securely give permissions to my user and www-data?

Foobarer

11/18/23, 9:32 AM

I created a Laravel project using my user. But now I added code that creates folders and files. The files and folders created by the PHP code are owned by www-data user and group. So when I check ownerships and permissions inside the root directory, I see the entire project is a mix of different ownerships for the folders and files, of my user and www-data.

That happened because the project itself was created by me so most of the files are owned by my user name and user group.

But now as I work on the project, I'm writing code that makes the web server create files and folders and it's owned by www-data user and group.

The problem is I am using VSCode Remote (with SSH) and then I can't access/edit the files created by the server with my user so I just chown every time, because I'm currently working on a file storing script. So I want to see if my script worked and created the correct files so I have to chown it right now to access them

But how can I make my user be able to also view/edit the files created by www-data securely without needing to chown every time?

I know there are a few approaches and I was recommended by some to use setfacl command. Or maybe I should add my user to www-data group? But I was told me this approach is bad (in production) because if someone gets access to the web server he gets access to the entire system.

What would be a good practice to allow my user to access (read/write) files created by the server.

Also, since the rest of the project is owned by me (not newly created files), should I also changed that to be owned by www-data?

0 + 9

server

permissions

22.04

matigo

11/18/23, 9:43 AM

One generally does not "develop in production". Is it not possible to develop locally where you can have Apache run with your credentials and then deploy to the production server via source control? This would reduce a situation in the future where people are terrified of upgrading/replacing the current production server because there's so much hand-tweaked stuff on production that doesn't exist anywhere else. Ideally production systems should be "as disposable as possible" so that you can rebuild from source in minutes rather than weeks

Foobarer

11/18/23, 9:47 AM

thank you, you are correct . Then maybe I should change the purpose of why I'm doing that because as you said it doesn't make sense for a production server. It's actually rather a mix of development and production server, because I'm working on a personal project, and as I develop it, I give some people access to the website to view it. So I guess I need it only for that, but not real production

muru

11/18/23, 9:55 AM

Does this answer your question? [How to avoid using sudo when working in /var/www?](https://askubuntu.com/questions/46331/how-to-avoid-using-sudo-when-working-in-var-www)

Foobarer

11/18/23, 10:03 AM

@muru Haha I've been using this post for a long time! (I have it in my browser's boomarks). But then I was suggested that I should use `setfacl` instead, because the approach in the post above is adding your user to the `www-data` group, which is exactly why someone told me it's risky in case some one takes control of the web server somehow. Of course, it might be rare but I really want to understand why they said that and try this approach, unless you say that this is also secure enough

muru

11/18/23, 10:09 AM

@B.DLiroy you'll have to clarify what the risk is here: how do they envision *your* user being a member of the `www-data` group being a threat vector when the web server processes are compromised?

muru

11/18/23, 10:13 AM

IMO I don't see much of a difference between setgid/group-membership vs ACLs either way here. I could see ACLs being used if you want to give access to some particular location without granting access to other locations that the group has access to, but in a development server like the one you talk about, I don't see why your user shouldn't have access to anything that the `www-data` group has access to.

Foobarer

11/18/23, 11:27 AM

@muru yes, that's exactly what I was told - that if my user is added to that group it's a threat vector if the web server is compromised because then the attacker will have access to anything that the user has access to?

Foobarer

11/18/23, 11:53 AM

@muru and to be honest, I didn't quite understand how because I never dealt with security but I am curious as to how exactly is this a risk vector, maybe a simple example would help me understand what is the meaning here

muru

11/18/23, 1:36 PM

I think you should ask this person to clarify how exactly they imagine this happening, since as far as I know, I can't simply start accessing some other user's files just because we happen to be in the same group - except only those files which are of that group. Otherwise the group of a file wouldn't matter at all

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to securely give permissions to my user and www-data?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.