Re: Apache2 permissions?

[Jeffrey Walton]

On Fri, Mar 7, 2025 at 4:07 PM Van Snyder <van.sny...@sbcglobal.net> wrote:
>
> I have two computers, both running Debian 12.5 with kernel 6.1.0-31-amd64
>
> Both are running Apache/2.4.62 (Debian), Server built: 2024-10-04T15:21:08
>
> Both machines show one "/usr/sbin/apache2 -k start" process owned by root and 
> three owned by www-data.
>
> Both have web pages in /opt/www, not /var/www, so they don't disappear when I 
> re-install.
>
> Their /etc/apache2/apache2.conf files are identical. The only changes from 
> the default one are
>
> # <Directory /var/www/>
>
> # Options Indexes FollowSymLinks
>
> # AllowOverride None
>
> # Require all granted
>
> # </Directory>
>
>
> <Directory /opt/www/>
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Require all granted
>
> </Directory>
>
>
> My uname "vsnyder" is in the same places in /etc/group* on both machines, in 
> particular on the "adm" line (and lpadmin as well).
>
> My uid and default gid are the same on both machines.
>
> In /opt/www on both machines, all of the files and directories are owned by 
> vsnyder:adm
>
> In /opt/www on both machines, the directories' modes are all 755, and the 
> files' modes are all 644.
>
> Web pages display on one, but not the other. /var/log/apache2/access.log and 
> /var/log/apache2/error.log show 403 errors on GET lines.
>
> Online pages about this say "check the permissions" and "make sure the files 
> are owned by a uid with root access."
>
> Any ideas?

It is not clear to me why you want vsnyder:adm, and why you want the
world to have access to anything.

Here's how I set up permissions on Apache. It is part of my hardened system.

    # Root owns everything. Apache only gets read access. Others get no access
    $ sudo chown -R root:www-data /var/www
    $ sudo chmod g=r /var/www
    $ sudo chmod o= /var/www

On our web server, there are two folders that require Apache to have
write access. They are due to Python and Mediawiki. First is the
session directory, and second is the temp/upload directory. For those
two directories:

    # Apache gets read/write access for Mediawiki

    $ sudo mkdir -p /var/lib/php/tmp /var/lib/php/session
    $ sudo chown -R www-data:www-data /var/lib/php
    $ sudo chmod -R g=rw /var/lib/php/tmp
    $ sudo chmod -R g=rw /var/lib/php/session
    $ sudo chmod -R o= /var/lib/php

If you are interested in the full recipes, see
<https://github.com/weidai11/website/blob/master/install/apache-php.txt>.

Jeff