[CentOS] Apache and web content permissions

Sat Dec 2 09:30:05 UTC 2017
Nicolas Kovacs <info at microlinux.fr>


Until a few months ago, when I had to setup a web server under CentOS, I
assigned (I'm not sure about the correct english verb for "chown"ing)
all the web pages to the apache user and group. To give you an example,
let's say I have a static website under /var/www/myserver on a CentOS
server running Apache. Then I would configure permissions for the web
content like this:

# chown -R apache:apache /var/www/myserver
# find /var/www/myserver -type d -exec chmod 0750 {} \;
# find /var/www/myserver -type f -exec chmod 0640 {} \;

Some time ago a fellow sysadmin (Remi Collet on the fr.centos.org forum)
pointed out that this is malpractice in terms of security, and that the
stuff under /var/www should *not* be owned by the user/group running the
webserver. Which means that for the static website above, I could have
something like this, for example:

# chown -R microlinux:microlinux /var/www/myserver
# find /var/www/myserver -type d -exec chmod 0755 {} \;
# find /var/www/myserver -type f -exec chmod 0644 {} \;

Or even this:

# chown -R nobody:nobody /var/www/myserver
# find /var/www/myserver -type d -exec chmod 0755 {} \;
# find /var/www/myserver -type f -exec chmod 0644 {} \;

Now I'm hosting quite a few Wordpress sites on various CentOS servers.
Some stuff in Wordpress has to be writable by Apache. If I want to keep
stuff as secure as possible, here's the permissions I have to define.

# cd /var/www
# chown -R microlinux:microlinux wordpress-site/
# find wordpress-site/ -type d -exec chmod 0755 {} \;
# find wordpress-site/ -type f -exec chmod 0644 {} \;
# cd wordpress-site/html
# chown -R microlinux:apache wp-content/
# find wp-content/ -type d -exec chmod 0775 {} \;
# find wp-content/ -type f -exec chmod 0664 {} \;

As far as I know, this is the most secure setup for Wordpress as far as
permissions are concerned. The problem is, I can't use automatic updates
anymore. Whenever Wordpress releases a new version, I have to set
permissions temporarily like this:

# chown -R apache:apache /var/www/wordpress-site

Then I can launch the update from within the Wordpress dashboard. And
once the update is complete, I have to redefine sane permissions as
above. Which is quite a bit tedious if you have two dozen Wordpress
sites to manage, even if you have little scripts to define the permissions.

So I'm finally coming to my question. How problematic is it really to
have the apache user and group owning the stuff under /var/www? I admit
I followed the users' advice out of respect for his competence. But as
far as I know, sometimes you get security advice where the resulting
hassle far outweighs the real benefits.

Any suggestions?



Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32