/var/www/html permissions

[jonesypeter]

Hello,

I have setup an Apache / PHP / MySQL server on my Raspberry Pi 3.

My issue is with permissions. I have searched the web and can't seem to find a clear answer. There seem to many different suggestions.

I want to be able to be able to save files in this directory and any sub folder I create in the future, and use FileZilla to be able to transfer files from my developer machine (I'm connecting via SFTP).

In the future this will be outward facing so I need it to be secure as well. I assume I use a combination of CHOWN and CHMOD?

Thanks in advance

[ChownClown32]

Hello,

I've never setup an FTP (or SFTP) server, so I'm not sure about FileZilla's access to the folder.

However, if you use sudo chmod -R 777 /var/www/html, the folder AND any new subfolders should be accessible.
For FileZilla, my guess is that you will have to create a user dedicated to FileZilla and then allow that user access to /var/www/html.

Best of Luck,
ChownClown32

[pksato]

Hi,
Its is simple.
On normal situation, http daemon run as some user and group, www-data on debian (raspbian).
Standard html files are stored on /var/www/, owned by root:root, with permissive permission, all can read, but only root can write.
To ordinary user write to /var/www need to takeover it. Supposed the use is pi.
sudo chown -R pi:www-data /var/www
Also, need to set user and group permission:
sudo chmod u+rxw,g+rx-w,o-rwx /var/www
Now, /var/www can be read,write and chdir by user pi, group www-data can chdir and read. Other not have access.
sudo chmod g+s /var/www
Any new file created on /var/www belong to group www-data.
If have files on /var/www, change user and group, and allow to group www-data read.
For file chmod u+rw,g+r-xw,o-rwx
For directory chmod u+rwx,g+rx-w,o-rxw
Now, user pi can manipulate files on /var/www and httpd can read, but not write.

[rpdom]

Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.

[jojopi]

Much easier to add user pi to group www-data, then pi can write to /var/www/html/ without mangling the permissions on the files.

No. Firstly, that is not easier. The default ownership of /var/www/html is root:root, so adding pi to group www-data achieves nothing unless you also "mangle" the permissions.

Secondly, if you are going to change the permissions so the webmaster does not have to be root, it is much better to avoid giving Apache itself write access to the files it is serving. In the event of any minor exploit down the line, someone will replace your website with an "pwned by" message.

So, the files should not be owned by user www-data, and should be readable but not writeable by group www-data. pksato's solution is ideal, and there is no benefit to adding pi to the group.

(If none of the files are sensitive then they can also be made readable to all, and you do not need to worry as much about getting them in the right group.)

[jonesypeter]

Thanks for all the replies.

I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??


Are there any issues with doing it this way:

sudo chown www-data:www-data /var/www
Now we will allow the “www-data” group permission to write to this directory.

sudo chmod 775 /var/www
Finally we can add the “Pi” user to the “www-data” group.

sudo usermod -a -G www-data pi

Peter

[jojopi]

Are there any issues with doing it this way:
sudo chown www-data:www-data /var/www

That is really not the best. There appears to be a common misconception that everything to do with the web should be owned by www-data. Actually it is quite the opposite.

The purpose of Apache running as its own user, and group, is to limit the damage that an attacker can do if there is a security flaw with it or your PHP applications. The www-data user has a shell of "nologin", no access to sudo, is not a member of any groups except its own, and does not own any files or even its own home directory /var/www. Basically it cannot write to anything except /tmp. As far as possible, you want to keep it that way.

Your web site files in /var/www/html should be owned by the user who normally edits them, which may as well be "pi". That will make maintaining the site perfectly convenient. Apache needs to be able to read the files, but it should not be able to write to them.

(Now, in some cases you may need to give www-data write access to specific subdirectories. For instance, if your web site includes a form where users can upload files, and the files are too big to simply store in the mysql database, you may need to write them to disk. Or if part of your site is self modifying, like a wiki, www-data will need to be able to write to that. Any writeable parts should be kept as separate as possible, and preferably not publicly visible.)

I thought sudo chown -R pi:www-data /var/www adds user pi to the www-data group??

"chown user:group …" sets the user and group ownership of files. Then you can set separate permissions for the user, group members, and others using chmod.

I do not understand how the idea of adding pi or other users to the www-data group became so pervasive. It is certainly never necessary, and I am not sure it is ever more convenient. Even in complex cases, such as wanting multiple people to be able to edit the same site, it would be better to create a dedicated group for the purpose, rather than overloading www-data.

[rpiuser2016]

I am also having a problem with permittions to /var/www/html

I have a simple task, that makes a snapshot from local camera and moves it to /var/www/html/images:

Code: Select all

#!/bin/bash
/usr/bin/raspistill -w 800 -h 600 -ae 32,0xff,0x808000 -a 8 -a "Localcam %Y-%m-%d %X" -o /var/www/html/images/localsnap.jpg

Then I am starting this task from bash:

Code: Select all

/usr/bin/raspistill -w 800 -h 600 -ae 32,0xff,0x808000 -a 8 -a "Localcam %Y-%m-%d %X" -o /var/www/html/images/localsnap.jpg

,
everything is fine, but then I am trying to start this script via crontab -e using this:

Code: Select all

*/5 * * * *  /home/pi/smartdacha/localsnap.bash

I am receiving a dead.letter:

Code: Select all

mmal: main: Error opening output file: /var/www/html/images/localsnap.jpg~
No output file will be generated

Why?

PS users PI and ROOT added to a group www-data

[rpiuser2016]

So, the right answer is:

Code: Select all

*/5 * * * *  sudo /home/pi/smartdacha/localsnap.bash

[RaTTuS]

So, the right answer is:

Code: Select all

*/5 * * * *  sudo /home/pi/smartdacha/localsnap.bash

no
the right answer is
sudo crontab -e
and use the roots crontab if it really has to be run as root
or
make the file /var/www/html/images/localsnap.jpg owned by pi

you dont really want to use sudo in a crontab IMO

[rpiuser2016]

Code: Select all

*/5 * * * *  root /home/pi/smartdacha/localsnap.bash

Like this?

[RaTTuS]

no
sudo crontab -e
*/5 * * * * /home/pi/smartdacha/localsnap.bash
it will run as root as
sudo contrab -e edit the roots crontab

[DougieLawson]

Code: Select all

*/5 * * * *  root /home/pi/smartdacha/localsnap.bash

Like this?

That works if you create it in /etc/cron.d

[scscott]

Your web site files in /var/www/html should be owned by the user who normally edits them, which may as well be "pi". That will make maintaining the site perfectly convenient. Apache needs to be able to read the files, but it should not be able to write to them.

How do I go about adding "pi" to the html folder while allowing Apache to keep access to read the files?

[RobLewis]

Great thread, thanks.

I've installed PHP7 on my Pi. How can I give it permissions to write and copy files in the /var/www directory?

[pranjalverma02]

This worked, Thanks a ton!

Hello,

I've never setup an FTP (or SFTP) server, so I'm not sure about FileZilla's access to the folder.

However, if you use sudo chmod -R 777 /var/www/html, the folder AND any new subfolders should be accessible.
For FileZilla, my guess is that you will have to create a user dedicated to FileZilla and then allow that user access to /var/www/html.

Best of Luck,
ChownClown32