What are best practices for permissions on Apache-writable directories?

Question

Sometimes I want to allow users to upload files through Apache. There are two different ways I could set the permissions so that Apache can write the uploaded files to the directory.

1. I can make the user Apache is running as the owner of the directory so that it looks like this:

   drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles

2. I can give write permission to "others" where Apache is one of the others:

   drwxr-xrwx 35 egbert admin 1190 Mar 9 13:17 uploadedfiles

Is one of these safer than the other?

Answer 1

There are 2 questions to ask here - first, who else (if anyone) needs to access those files? If there are other processes that act on those files, who are they running as, and how will that interact with the chosen solution? If there aren't other processes or users accessing the files, I'd go with making the apache user the owner, as that's all that is needed, and it follows one of the oldest principles in security - only let people who need access to something have it.

Answer 2

If the system is being used for other purposes you should probably avoid giving permissions via the 'others'. Allowing permissions here would basically mean anything else running on that computer, or with access to that computer would have rights to those files.

Also, you could create an additional group, and make apache a group member, and whoever is in admin, and change the group ownership to that group, and give permissions to that group. If you use a group, you will probably also need set the 'setgid' bit on the directory. When the setgid bit is set any files created will get the same group membership of the parent directory.

Answer 3

The general rule with security is that of least privilidge. You want to use as minimal permissions as possible. In this case, the first option (writable by apache) means that the directory can only be written to if your system is compromised through the apache user, whereas with option two (writable by everyone), any account can be compromised and write to that directory. In this case, I would go with option one:

drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles

Answer 4

The most restrictive access, in this case exclusive access to www/admin with permission 0750, is always the safest. Note that, in the permission mask above, users who are neither www nor members of admin are not allowed to access the contents of the directory at all; this is in order to reduce the possibility that an unauthorized party logged into the system gain access to potentially confidential information uploaded by users.

Do not forget that on most *nix platforms you also have a third, extremely flexible option, that is, setting ACLs using setfacl. ACLs are a superset of what can be achieved with the regular permission bits and ownership methods. ACLs are the option of choice when confronted with complex security setups (including per-user permissions, default ownerships, etc. - but you may need to first add acl to /etc/fstab in the mount options of the volume hosting your directory, see man mount.) You may choose to use ACLs if two or more users need access to the directory in question without being members of, say, the admin group.