I'm always hitting this problem in one way or another and I've never really come up with a good solution.
I have lots of personal information (not secret, just that it's mostly only useful to me) which I keep in a Wiki. To make my life easy I run apache2 as user 'chris' (me) on the servers where I have the wiki. This allows me to edit pages directly and do all the maintenance etc. without the rigmarole of becoming root and/or becoming www-data.
However this then causes problems with other stuff that runs under the web server as they assume that it's going to run (in Ubuntu anyway) as www-data. My current hassle is with Owncloud which installs with www-data owning the data directory and I have to manually change the ownership to allow it to write.
There are also other similar conflicts.
Isn't there a way to tell the installation system that I want my browser to run as a specified user rather than the default (and really annoying!) www-data?
I suppose I could bodge /etc/passwd so that chris and www-data are the same but it is rather a bodge, I'd like a better solution.
On Thu, May 05, 2016 at 10:30:46AM +0100, Chris Green wrote:
I'm always hitting this problem in one way or another and I've never really come up with a good solution.
I have lots of personal information (not secret, just that it's mostly only useful to me) which I keep in a Wiki. To make my life easy I run apache2 as user 'chris' (me) on the servers where I have the wiki. This allows me to edit pages directly and do all the maintenance etc. without the rigmarole of becoming root and/or becoming www-data.
However this then causes problems with other stuff that runs under the web server as they assume that it's going to run (in Ubuntu anyway) as www-data. My current hassle is with Owncloud which installs with www-data owning the data directory and I have to manually change the ownership to allow it to write.
There are also other similar conflicts.
Isn't there a way to tell the installation system that I want my browser to run as a specified user rather than the default (and really annoying!) www-data?
I suppose I could bodge /etc/passwd so that chris and www-data are the same but it is rather a bodge, I'd like a better solution.
... I think I have a reasonable answer to this problem.
Leave apache2 at default, running as user www-data, no login etc. for security.
If you want a web application that you can edit yourself (i.e. in my case when logged in as 'chris') then create it in your home directory and link from /srv (or whatever the apache2 root is).
Now, the clever bit (well I think it's clever), use ACLs to allow www-data to access the application in your home directory. In my case the application is a dokuwiki installation in ~/wiki, so what you need is:-
chris$ cd chris$ setfacl -R u:www-data:rwX wiki chris$ setfacl -Rd u:www-data:rwX wiki chris$
... and that's it. The first setfacl line means that www-data can access all it needs in ~/wiki, the second line sets the default permissions so that newly created files and directories have the same permissions.
This keeps the basic security of www-data not having a login and not having write access to most things but allows it specific access to the one directory where it needs write access for the application to work.
It *may* be that I'll need to add:-
chris$ setfacl -Rd u:chris:rwX wiki chris$ setfacl -R u:chris:rwX wiki chris$
So that any files actually *created* by the web app (i.e. by the apache user) are writeable by 'chris'.
-
Chris Green