[CentOS] Web server files ownership?

Fri Jul 7 11:26:36 UTC 2017
Bill Gee <bgee at campercaver.net>

On Friday, July 7, 2017 5:25:29 AM CDT Nicolas Kovacs wrote:

> Hi,
> I have a series of websites hosted on two CentOS 7 servers, using Apache
> virtual hosts. One of these servers is a "sandbox" machine, to test
> things and to fiddle around.
> Since Apache is running as system user 'apache' and system group
> 'apache', I thought it sensible that hosted files be owned by that process.
> # ls -l /var/www/html/
> total 24
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
> drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
> drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
> drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site

Hi Niki -

Pete Biggs has weighed in with one way of setting Apache permissions.  His 
basic contention is right on:  The user under which the Apache process runs 
should not have write permissions.

The method we adopted at my last job goes like this:  All of our CentOS7 
servers are members of Active Directory.  We created an AD group which 
contains the user names of our web developers.  We do not have any Web 
services that require writing data back to the server, so we do not have that 
complication to deal with.  We also have nothing that writes to a database.

On the CentOS server everything is owned by nobody and has a group of 
devs at ad.com.

chown -R nobody:devs at ad.com /var/www/html

File permissions are 574.  Note that owners are NOT required to have higher 
permissions than groups!

find /var/www/html -type f -exec chmod 574 {} \;

Directory permissions are 575.  The eXecute bit must be set so that Apache can 
navigate into the subdirectories.

find /var/www/html -type d -exec chmod 575 {} \;

The group sticky bit is set on directories.  That means any new directories 
created by the developers will have a group of devs at ad.com.

find /var/www/html -type d -exec chmod g+s {} \;

We also set ACLs on the directories so that new files and directories have the 
desired permissions.  I don't remember the exact command for that.  Setfacl is 
pretty finicky!

The end result can be a bit messy since new files in the html directory will 
be owned by the developer who copied them up.  I have not found a way to force 
ownership to nobody.  That doesn't matter, though, since Apache does not use 
owner permissions and web developers get permissions through the group 
settings.  If you are picky about this, it is easy to set a cron job that runs 
chown on a regular basis.

Bill Gee