Skip to content
Advertisement

Is it safe to change web server root directory to owners root:www-data with 775 rights?

I had a problem with the PHP fwrite function not writing anything and I figured it was because of rights.

One apache process is run by root and several others by www-data:

$ ps -aux |grep apache
root 21239 0.0 0.3 222104 26524 ? Ss 02:31 0:00 /usr/sbin/apache2 -k start
www-data 21240 0.0 0.1 222316 13736 ? S 02:31 0:00 /usr/sbin/apache2 -k start

The web root directory was owned by root:root with no write rights for the group owner (755):

/var/www# ls -l
drwxr-xr-x 9 root root 4096 Feb 29 02:11 html

So I changed the group owner of the root directory to www-data and granted write rights:

/var/www# chown root:www-data html
/var/www# chmod 775 html
/var/www# ls -l
drwxrwxr-x 9 root www-data 4096 Feb 29 02:11 html

Now it worked. My question is if this is a proper and – most important – secure setup.

Advertisement

Answer

This is because Apache runs as www-data in Ubuntu. But, if you would download the source code and compile it, it will run as the user daemon. The folders that Apache uses should be owned by the user Apache runs as.

So, if you would need to change the Apache’s default user and group change/add the line:

User <your-username> # (Without angle-bracket)
Group <your-group> # (Without angle-bracket), this setting is usually the same as the user

You cannot write using PHP beacause you are using the php module in apache. If you would use PHP-FPM, then you would have to change the default user and group in PHP-FPM’s www.conf file. You are not using PHP-FPM by the info you have given, hence, when you change Apache’s user and Group, it is also applied to PHP, as PHP is running in Apache. If you have a lot of visitors, and your website needs to be faster, then, enable PHP-FPM by doing the following:

1) Unload the mod_php(version-number) by running:

sudo a2dismod php(version-number)

(Optional Step) 2) You might need to use mpm_event and unload mpm_prefork. You might see a weird message saying conflict and stuff, but ignore it. You can do it by running:

sudo a2dismod prefork && sudo a2enmod event

3) Install PHP-FPM:

sudo apt install php(version-number)-fpm && sudo service php(version-number)-fpm start

4) Enable proxy_fcgi module in Apache:

sudo a2enmod proxy_fcgi

5) Add the following to apache2.conf file:

<FilesMatch ".ph(p[2-6]?|tml)$">
SetHandler "proxy:fcgi://localhost:9000"
</FilesMatch>

6) Run:

sudo service apache2 restart

And you’re done!

User contributions licensed under: CC BY-SA
3 People found this is helpful
Advertisement