Sometimes I want to allow users to upload files through Apache. There are two different ways I could set the permissions so that Apache can write the uploaded files to the directory.
I can make the user Apache is running as the owner of the directory so that it looks like this:
drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles
I can give write permission to "others" where Apache is one of the others:
drwxr-xrwx 35 egbert admin 1190 Mar 9 13:17 uploadedfiles
Is one of these safer than the other?
If the system is being used for other purposes you should probably avoid giving permissions via the 'others'. Allowing permissions here would basically mean anything else running on that computer, or with access to that computer would have rights to those files.
Also, you could create an additional group, and make apache a group member, and whoever is in admin, and change the group ownership to that group, and give permissions to that group. If you use a group, you will probably also need set the 'setgid' bit on the directory. When the setgid bit is set any files created will get the same group membership of the parent directory.
The general rule with security is that of least privilidge. You want to use as minimal permissions as possible. In this case, the first option (writable by apache) means that the directory can only be written to if your system is compromised through the apache user, whereas with option two (writable by everyone), any account can be compromised and write to that directory. In this case, I would go with option one:
drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles
There are 2 questions to ask here - first, who else (if anyone) needs to access those files? If there are other processes that act on those files, who are they running as, and how will that interact with the chosen solution? If there aren't other processes or users accessing the files, I'd go with making the apache user the owner, as that's all that is needed, and it follows one of the oldest principles in security - only let people who need access to something have it.
Giving read access to others is also a security risk. Wordpress for example, has a file containing the username and password of the database.
The most restrictive access, in this case exclusive access to
www/admin
with permission0750
, is always the safest. Note that, in the permission mask above, users who are neitherwww
nor members ofadmin
are not allowed to access the contents of the directory at all; this is in order to reduce the possibility that an unauthorized party logged into the system gain access to potentially confidential information uploaded by users.Do not forget that on most *nix platforms you also have a third, extremely flexible option, that is, setting ACLs using
setfacl
. ACLs are a superset of what can be achieved with the regular permission bits and ownership methods. ACLs are the option of choice when confronted with complex security setups (including per-user permissions, default ownerships, etc. - but you may need to first addacl
to/etc/fstab
in the mount options of the volume hosting your directory, seeman mount
.) You may choose to use ACLs if two or more users need access to the directory in question without being members of, say, theadmin
group.