0

I'm new on linux server.

I have 2 question that I'm confuse about this.

1 1. user:group now I chown my /var/www/html like this.

my nginx.conf is set server{ user www-data }

and in terminal I set

chown -R root:www-data /var/www/html find /var/www/html -type d -exec chmod 775 {} + find /var/www/html -type f -exec chmod 664 {} + find /var/www/html/uploads/images -type d -exec chmod 775 {} +

Is I'm do the right thing ? or it need to set to www-data:www-data ?

2 2. about crontab it a lot of TUT but it is not clear about user who ran crontab. The question is

If I login with adam user and my server is own by root:www-data or www-data:www-data how can I give the crontab to that user not adam user ? because it need perm to write the files like backup.

Improve this question

2 Answers 2

Reset to default
0

1) In general, files in /var/www should be owned by root:www-data and chmod 644, while /var/www itself and all subdirectories should be chmod 755.

They should not be writable by the www-data user unless absolutely necessary (and that goes triple for executable files) because files which are writable by www-data can be modified by an attacker who manages to compromise the web server itself or a script run by the web server (unless you're using suexec, in which case they'll have the permissions of the script's owner rather than the web server, which generally isn't much better and may be much worse). If nothing is writable by www-data, then the damage that can be done by an attacker who gains www-data's access is substantially reduced.

2) cron jobs are run by the user whose crontab invokes the job. If it's in root's crontab, it runs as root. If it's in adam's crontab, it runs as adam, etc.

The exception to this is the system-wide crontabs under /etc (/etc/crontab, /etc/cron.d/*, and so on). The job specification format for these crontabs includes an additional field specifying the user who the job should be run as.

Improve this answer
6
  • Thanks you for you answer so if I got this I can run crontab with user that I login to ssh like adam ? on terminal as adam user I can crontab -e to edit my cronjob to backup files and run it as adam user ? so my /var/backup/db is need to chrown to adam:adam and chmod to 644 for the write permission. That right ? (no need to worry about www-data with crontab) Commented Aug 22, 2014 at 10:04
  • another way I can edit /etc/cron.d/mycron. But what is the general way ? =-= Commented Aug 22, 2014 at 10:10
  • That's correct. If you ssh in as adam, then crontab -e will let you set up commands to be run automatically using adam's permissions. Commented Aug 22, 2014 at 10:24
  • I think I should chmod 755 drwxr-xr-x to all my folder in www. And chmod 644 -rw-r--r-- to all my files in www. That make it secure? Commented Aug 22, 2014 at 11:36
  • Oh, yes, directories need execute (x) permissions so that the webserver can access files in them. I'll edit my answer to make that more clear. But you figured out the correct settings anyhow. Commented Aug 23, 2014 at 8:25
0

(1) chmod and chown are different commands. The first sets permissions and the second ownership. You may wish to also run

`find /var/www/html -exec chown www-data:www-data {} +`

in addition to the commands you are already running, but that is a choice for you to make.

(2) You can edit /etc/cron.allow and add www-data to allow the www-data user to run cron jobs. A man cron or man crontab should give you further info about this if you need it.

Improve this answer
1
  • Thank you for you answer. But I think @Dave Sherohman suggest is good thing for security. Commented Aug 22, 2014 at 10:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.