So after a vanilla LAMP install on 11.04, Ive got my web directory in:

/srv/www/domain.com/public_html

My question is what should the group and user be set to on public_html? By default it was root and root post installation but recently I set it to my standard user account out of lazyness to create and edit files in there, is this safe to do?

It still serves the pages ok but I wasn't sure if www-data was supposed to be in charge or what? Any advice or tips much appreciated!

Ownership doesn't really matter except under the following circumstances

1) You're using Suexec which requires the owner and executor are the same
2) Your web server needs to write files it tends to be wise to set the owner to www-data if you want to update wordpress for example
3) You're running a multi user environment, then the group sgid bit comes in handy

I tend to keep ownership to the user I sftp in as. But I don't run wordpress, suexec and work in a single user environment

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thank you for the answer!

So would it be practical to set www-data to group and owner and then add my standard user to www-data group or is that frowned up then?

If you want your web server to write to the site and you want your user to write to it I'd create a group say called "sitewritable" and add the web server and my user to that group then

chgrp -R serverwritable /path/to/files; chmod -R g+w /path/to/files; find /path/to/files -t d -exec chmod g+s {} \;

which sets the group, gives the group write permissions and sets the gid on execution of folders so new files should have group write perms

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Why do this when there is already something in place.

In ubuntu/debain it is:

group: www-data
user: www-data

Just do this:

sudo chown -R www-data /var/www/

Don't do that.

If an exploit is discovered in a script you run then it could possibly be used to delete/overwrite every file and directory on the site.

www-data ownership should be assigned only under specific and controlled circumstances.

For most files and directories, assigned ownership to the shell user who maintains them.

_________________
sleddog

Still not clear for me

Who should own the public_html/ ??? I have it with root...

It depends on your setup.

I run everything through mod_suxec. This way all PHP, CGI, etc process are run as the user that owns the virtual host. I also give public_html ownership to that particular user. All this eliminates the need to give o+w permission when a web site needs to write to a file, and adds a mediocre level of security by making sure no website actually runs as the Apache user.

If you administer the content in public_html, and you login to system as 'fernandoch', then the public_html directory and its content should be owned by user 'fernandoch'.

If a directory needs to be writeable by the webserver (e.g. for web-based uploads) then you have a choice of either: (a) changing permissions or ownership on the uploads directory to make it writeable; or (b) use suexec as saman007uk says, so that the upload script runs as user 'fernandoch' and has permission to write to the uploads directory, which is owned by user 'fernandoch'.

_________________
sleddog

So it should not be the same user as apache's user?

And for sure not root?

Yes.
Depending on your setup. Basically the permissions need to be setup such that the Apache user can read any static data that you want available online.

What do you guys think about this

# or B. More secure (recommended). Allow writting only in places Joomla! needs to write to (more secure)
sudo chown -R root:root /var/www/joomla
cd /var/www/joomla
PLACES='
administrator/backups
administrator/components
administrator/modules
administrator/templates
cache
components
images
images/banners
images/stories
language
mambots
mambots/content
mambots/editors
mambots/editors-xtd
mambots/search
media
modules
templates
'
for i in $PLACES; do
    sudo chown -R www-data:www-data $i
done

Taken from here https://help.ubuntu.com/community/Jooml ... ess_Rights