Optimal Linux Web Server File Permissions for Apache2: Secure Configuration for Developers and Uploads


4 views

When configuring permissions for a Linux web server running Apache2, we need to balance three critical requirements:

  • Apache's www-data user must be able to read files and traverse directories
  • Developers need appropriate write access for maintenance
  • Upload directories require special considerations for security

For the example structure /var/www/fabrikam.com:


# Set ownership for the root directory
sudo chown -R alice:developers /var/www/fabrikam.com

# Set group ownership for Apache
sudo chgrp -R www-data /var/www/fabrikam.com

# Base directory permissions
sudo chmod 750 /var/www/fabrikam.com

# Standard directories (modules, styles)
find /var/www/fabrikam.com -type d -exec chmod 2750 {} \;
find /var/www/fabrikam.com -type f -exec chmod 640 {} \;

The uploads directory needs special treatment because it accepts user-provided content:


# Upload directory permissions
sudo chmod 2770 /var/www/fabrikam.com/uploads
sudo chown :www-data /var/www/fabrikam.com/uploads

For the cache directory that Apache needs to write to:


sudo chmod 2770 /var/www/fabrikam.com/cache
sudo chown :www-data /var/www/fabrikam.com/cache

Using 777 permissions (world-readable/writable/executable) is dangerous because:

  • Any user on the system can modify files
  • Malicious scripts can be injected
  • Security vulnerabilities become much easier to exploit

For multiple developers working on the same site:


# Create developer group
sudo groupadd developers

# Add users to group
sudo usermod -a -G developers alice
sudo usermod -a -G developers bob

# Set SGID bit for consistent group ownership
find /var/www/fabrikam.com -type d -exec chmod g+s {} \;

Here's a complete setup script for the fabrikam.com site:


#!/bin/bash
SITE_PATH="/var/www/fabrikam.com"

# Set ownership
sudo chown -R alice:developers $SITE_PATH
sudo chgrp -R www-data $SITE_PATH

# Set base permissions
sudo chmod 750 $SITE_PATH

# Set directory permissions
find $SITE_PATH -type d -exec chmod 2750 {} \;
find $SITE_PATH -type f -exec chmod 640 {} \;

# Special directories
sudo chmod 2770 $SITE_PATH/uploads
sudo chmod 2770 $SITE_PATH/cache

# Set SGID for directories
find $SITE_PATH -type d -exec chmod g+s {} \;

Additional measures to consider:


# Restrict PHP execution in uploads
echo "<Directory \"/var/www/fabrikam.com/uploads\">
    php_admin_flag engine off
    <FilesMatch \"\.php$\">
        Require all denied
    </FilesMatch>
</Directory>" | sudo tee /etc/apache2/conf-available/fabrikam-uploads.conf
sudo a2enconf fabrikam-uploads
sudo systemctl reload apache2

When configuring permissions for a Linux web server, we need to balance three key requirements:

  • Apache (www-data) must be able to read files and execute scripts
  • Developers need write access to maintain the codebase
  • The system must prevent horizontal privilege escalation

For the described scenario with multiple developers and upload directories, here's the optimal setup:


/var/www/
├── fabrikam.com/
│   ├── cache/      # 775 (rwxrwxr-x)
│   ├── modules/    # 755 (rwxr-xr-x)
│   ├── styles/     # 755 (rwxr-xr-x)
│   ├── uploads/    # 775 (rwxrwxr-x)
│   └── index.php   # 644 (rw-r--r--)

Here's how to set these permissions properly:


# Set ownership for Fabrikam site
sudo chown -R alice:devgroup /var/www/fabrikam.com

# Set base directory permissions
sudo find /var/www/fabrikam.com -type d -exec chmod 755 {} \;

# Special permissions for writeable directories
sudo chmod 775 /var/www/fabrikam.com/cache
sudo chmod 775 /var/www/fabrikam.com/uploads

# Set file permissions
sudo find /var/www/fabrikam.com -type f -exec chmod 644 {} \;

# Allow Apache access through group permissions
sudo usermod -a -G devgroup www-data

For directories accepting user uploads, additional security measures are crucial:


# Prevent PHP execution in upload directory
sudo echo "<Directory /var/www/fabrikam.com/uploads>
    php_flag engine off
    RemoveHandler .php .phtml .php3
    RemoveType .php .phtml .php3
</Directory>" | sudo tee /etc/apache2/conf-available/fabrikam-uploads.conf

sudo a2enconf fabrikam-uploads
sudo systemctl reload apache2

For more granular control, consider using Access Control Lists:


# Install ACL utilities
sudo apt-get install acl

# Set default ACL for uploads directory
sudo setfacl -R -d -m u:alice:rwx,u:bob:rwx,g:www-data:r-x,o:r-x /var/www/fabrikam.com/uploads

Using 777 permissions creates several security vulnerabilities:

  • Allows any system user to modify website files
  • Enables privilege escalation attacks
  • Permits malicious file uploads to become executable
  • Violates principle of least privilege

Implement audit logging to track permission modifications:


# Add audit rule for web directories
sudo echo "-w /var/www/ -p wa -k web_content" >> /etc/audit/rules.d/web-content.rules

# Restart auditd service
sudo systemctl restart auditd

# View permission changes
sudo ausearch -k web_content | aureport -f -i