I’ve used the phrase “writable by the webserver” numerous times throughout this blog, without ever bothering to explain in detail what this means. Yesterday, I received an email asking me exactly that, so I decided to finally write a post about it and use it as a reference whenever I use the aforementioned phrase. I’ll use Apache as an example webserver and a filesystem with Unix-like permissions. I’ll also try to keep the article as short as possible.
First of all, the webserver, Apache in our case, is a program running in the background. Apache is originally started by user root. We will call this initial process the “root-process“. The “root-process” launches several child processes which handle the client requests. For security reasons, the child processes are not run by user “root” but as a user with minimal privileges. Usually this user is named
www-data etc. To find out how this is called in your system, issue the following command:
$ ps -ef | grep httpd | grep -v grep root 1926 1 0 Dec03 ? 00:00:55 /usr/sbin/httpd.worker apache 2608 1926 0 14:31 ? 00:00:06 /usr/sbin/httpd.worker apache 22192 1926 0 01:05 ? 00:00:02 /usr/sbin/httpd.worker
So, in my case the child processes are run by user “
apache“. This could also be determined by the user and group directives inside Apache’s configuration file,
User apache Group apache
So, in order to make a directory writable by the webserver we have to set the directory’s owner or group to Apache’s owner or group and enable the write permission for it. Usually, we set the directory to belong to the Apache group (
www-data or whatever user is used to launch the child processes) and enable the write permission for the group.
chgrp apache /path/to/mydir chmod g+w /path/to/mydir
In many cases, usually in shared hosting environments, it is not possible to change the ownership of files and directories. In those cases you could just set the write permission for everyone (others):
chmod o+w /path/to/mydir
Which method is more secure depends on how
/path/to/mydir is accessed.
If it is accessed through the web server with an HTTP request it does not really matter which of the above methods has been used in order to make
/path/to/mydir writable by the web server, because, in any case, the web server will be able to write to
If the directory is accessed by other means, for instance by another local program which is run by an untrusted local user, then, obviously, the first method is more secure.
I guess this explains how to make a directory or file writable by the web server process.
Making a directory writable by the webserver by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Permissions beyond the scope of this license may be available at Licensing Information.
Copyright © 2008 - Some Rights Reserved