Directory and File Ownership and Permissions - Best Practice for Security

[zebansky]

Hello,

 

I'm trying to ensure that a new site about to go live has directory and file ownership and permissions set most appropriately to ensure the site works and is as secure as possible.  Referring to the Prestashop directory structure typically under /var/www/html.

 

The site is running on a dedicated server running Ubuntu / Apache, being a dedicated server there are no constraints around what we can do.

 

There is much general advice on the forum and elsewhere that all directories should be 755 and all files 644.  However there is little comment as two who should be the owner (and group) of the directories and files.  Should all directories and files be owned by www-data:www-data?  This would seem to make all directories and files writeable by apache - probably won't have too many problems with things not working, but doesn't seem the most secure choice.

 

Alternatively, is it assumed when advising 755 / 644 that all directories and files are owned by some other user - root or someone else?  This would then seem very secure - apache cannot write to anything.  But I imagine a lot of things won't work - e.g. cannot upload new product images in the Prestashop admin page because apache cannot write to img/p???

 

Other directories such as cache and modules must need to be writeable by apache too?

 

Is there any documentation on best practice in this regard - to achieve the right balance between security and function?

 

Thanks.

[tuk66]

Some hints are at http://doc.prestashop.com/display/PS16/Installing+PrestaShop

[zebansky]

Thanks for that link but I had already seen that.  It is concerned mostly with (temporarily) granting sufficient permissions to achieve a successful initial install.  I'm really looking for a discussion on hardening a server for production use, whilst still ensuring sufficient access to allow PS and modules to work.

 

The advice at the end to revert to 664 or 666 still seems pretty loose and it doesn't clarify who the owner and group should be in the first place.  Setting owner/group/world permissions without understanding who the owner is... it's really just half the story?

 

Cheers

[Simonas Invertus]

Temporary granting rights may not work for you if:

- you will want to add new module in the future

- you will want to add/edit template in the future

- add new products or images in the future.

 

There maybe other problems:

If you upload images via web, later you can not delete them via FTP if user responsible for web part is not in the same group as your ftp login.

 

So it is complicated issue, but if you set your setting right you can make everything work with 644.