Groups and Membership

How to safely develop websites and manage linux group membership with Ubuntu 14.04

Posted on September 29, 2015 in Web Development

Off to a good start.

First, lets start off on the right foot. If you’re using root: stop that.

First let’s make a new user for you to login with. That starts with us giving the root user a password.

    sudo passwd

Setup a new root password. This will be used when we need super permission (install/update packages, change system files, etc).

    [sudo] password for username: SUPER_PASSWORD_HERE
    Enter new UNIX password: SUPER_PASSWORD_HERE
    Retype new UNIX password: SUPER_PASSWORD_HERE
    passwd: password updated successfully

Great! Lets create our first user.

    sudo adduser YOUR_USERNAME

If you make a mistake, ctrl+c will stop the creation or

    sudo deluser YOUR_USERNAME

Adding the -l or -u flags will lock or unlock a user account.

    sudo passwd -l YOUR_USERNAME
    sudo passwd -u YOUR_USERNAME

Make sure you log into your new account before proceeding!

Time for Apache and www-data

First we want to create a new group that both our user and www-data user (belongs to Apache) can live within. Let’s also add our users to this new group.

    sudo groupadd www-users 
    sudo usermod -a -G www-users YOUR_USERNAME
    sudo usermod -a -G www-users www-data

You can confirm your group membership with sudo groups USERNAME_HERE. You should now see both users are a part of www-users

Clean up ownership and permissions!

By default, the /var/www folder belongs to www-data. Lets change that since www-data and our user now belong to the same group, Apache won’t care! Now we don’t run the risk of a remote attack on Apache giving our attacker access to our system user.

That’s what will happen if you simply join the www-data group.

    sudo chown -R root:www-users /var/www
    sudo chmod 2775 /var/www

This will give our root and current user read/write/execute to all files in /var/www. It will give the rest of the world read/execute permissions.

We really only want to give execute permission to folders and not files. So let’s fix that:

    sudo find /var/www -type d -exec chmod 2775 {} +
    sudo find /var/www -type f -exec chmod 0664 {} +

The 2 tells the system to copy www-users group to all newly created folders and to not touch group membership of files.

Finishing up

Now reboot your machine and enjoy a hassle-free group security setup. Since www-data group only exists in /var/www, a hacker is now limited to that directory if exploiting the Apache user.

comments powered by Disqus