I’ve used the phrase “writable by the webserver” numerous times throughout this blog, without ever bothering to explain in detail what this means. Yesterday, I received an email asking me exactly that, so I decided to finally write a post about it and use it as a reference whenever I use the aforementioned phrase. I’ll use Apache as an example webserver and a filesystem with Unix-like permissions. I’ll also try to keep the article as short as possible.

First of all, the webserver, Apache in our case, is a program running in the background. Apache is originally started by user root. We will call this initial process the “root-process“. The “root-process” launches several child processes which handle the client requests. For security reasons, the child processes are not run by user “root” but as a user with minimal privileges. Usually this user is named apache or www-data etc. To find out how this is called in your system, issue the following command:

$ ps -ef | grep httpd | grep -v grep
root      1926     1  0 Dec03 ?        00:00:55 /usr/sbin/httpd.worker
apache    2608  1926  0 14:31 ?        00:00:06 /usr/sbin/httpd.worker
apache   22192  1926  0 01:05 ?        00:00:02 /usr/sbin/httpd.worker

So, in my case the child processes are run by user “apache“. This could also be determined by the user and group directives inside Apache’s configuration file, /etc/httpd/conf/httpd.conf:

User apache 
Group apache

So, in order to make a directory writable by the webserver we have to set the directory’s owner or group to Apache’s owner or group and enable the write permission for it. Usually, we set the directory to belong to the Apache group (apache or www-data or whatever user is used to launch the child processes) and enable the write permission for the group.

chgrp apache /path/to/mydir
chmod g+w /path/to/mydir

In many cases, usually in shared hosting environments, it is not possible to change the ownership of files and directories. In those cases you could just set the write permission for everyone (others):

chmod o+w /path/to/mydir

Which method is more secure depends on how /path/to/mydir is accessed.

If it is accessed through the web server with an HTTP request it does not really matter which of the above methods has been used in order to make /path/to/mydir writable by the web server, because, in any case, the web server will be able to write to /path/to/mydir.

If the directory is accessed by other means, for instance by another local program which is run by an untrusted local user, then, obviously, the first method is more secure.

I guess this explains how to make a directory or file writable by the web server process.

The Making a directory writable by the webserver by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Tags: Administration, Filesystem, Servers, Web Applications