Background
I’ve recently setup a php based site on a host I have root access to. I’ve installed a lamp setup based on the guides at linode.com, and I’m now wondering what’s to be done about php file permissions, directory permissions, and which users should run which processes in which groups.
In particular I’d like an answer to the question “How should a standard php web site be configured with respect to ACLs, ownership and produciton ids?”
Currently any directory listing returns the following:
-rw-r--r-- 1 root root 70 Nov 8 17:17 index.php
i.e. root owner, root group, mode 644 / uw & ar. ([edit] Which is not how it should be since files should not be created using root – part of the reason for this question)
Running ps -auxww I see the Apache web server runs as a user called www-data, so I can presume that php will run as that same user (presumably it’s a child process which will inherit the same user).
Would it be wrong for me to set chmod 640 on all files, and set myself (user bob) as the owner, create a group called productionIDs containing the www-data user, set group on the file to be productionIDs?
Seems to me this would be more secure in terms of least privilege; who else is there other than myself and the web server? Only I need to write the files, and the web server only needs to read. Nobody else needs to do anything.
My setup doesn’t handle the case where there are multiple developers, but I’m not sure what this case should look like.
So are there any risks with 640 owner me, group web server group? If so, is the corresponding directory 750 safe too?
If not, why don’t more people use this configuration?
[update] Under try it and see theory, it works. So the question now includes a “what does this configuration not allow/what are the disadvantages of this configuration” aspect.
First, your files should definitely not be owned by root:root. Start with a username and generic group for all ownership.
While it is initially true that the web server user will only need read/execute access to your files there are certainly cases where that user might need write access to a specific folder for uploads or application logs, etc.
So our typical setup for a PHP application is 644 on the files (640 is fine, too) and 755 for the folders (750 will also work). Note we leave the files readable by everyone for a couple of reasons. First, it allows other users to audit code on a server without having the ability to modify it. Second, we only have developer users on the production hosting server so anyone with an account already has the trust level to see all the code. That situation might vary in another setting.
Regarding your question of using the web server group as the group owner, we usually do not do that. While you could certainly use that group, we like to leave all the system-installed groups alone and create a specific group for the application files. Then we just add the web server user to the new group.