/var/www/moodle as 'root' or 'www-data'?

/var/www/moodle as 'root' or 'www-data'?

by Gareth J Barnard -
Number of replies: 8
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers

Hello,

When sorting out an issue with 'PHP Unit' -> https://moodle.org/mod/forum/discuss.php?d=412355 I read the install docs and:

https://docs.moodle.org/39/en/Installing_Moodle#Download_and_copy_files_into_place

indicates that the 'moodle' folder should have the user and group of 'root' so that the web server cannot write to the code files and yet:

https://docs.moodle.org/39/en/Installing_Moodle_on_Debian_based_distributions

states to have the user and group as 'www-data' which is the user and group that the web server (in this case Apache) is running under and therefore the code files are writable by the web server!

Which is correct please?

Gareth


Average of ratings: -
In reply to Gareth J Barnard

Re: /var/www/moodle as 'root' or 'www-data'?

by James Steerpike -
I am not sure if there is a correct answer.
Having root as the owner will be safer as it is more restrictive. However if you install a plugin from within Moodle which requires writing to a Moodle code subfolder you will need to reset permissions through chmod. With the web server able to write to the directory this should not be necessary.
I have always stuck with root permissions and temporarily adjusted permissions using sudo.
Average of ratings: Useful (1)
In reply to James Steerpike

Re: /var/www/moodle as 'root' or 'www-data'?

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers
Thanks James, I can see how that gives more control and prevents the web server from doing something iffy.
Average of ratings: -
In reply to Gareth J Barnard

Re: /var/www/moodle as 'root' or 'www-data'?

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Hi Gareth

In my servers the owner of moodle/ tree is not the root, neither www-data. It is me, my Unix shell account. This me, as Unix shell accounts, belongs to the group users. In addition me is in the group www-data.

Files in moodle/ have permissions rw-r----- me:www-data and directories rwxr-x--- me:www-data. That way I can work 99% of the time as the user me - since I am the owner of moodle/ tree. The web server, running as user www-data, is also happy, since it can read and enter directories through the group www-data.

The problem with Moodle Docs is that, it is written for a "broad" audience. In plain text, Windows (desktop) power users struggling in Unix. On Windows desktop, everybody has superuser permissions. Anything more will just put them off.


Average of ratings: -
In reply to Visvanath Ratnaweera

Re: /var/www/moodle as 'root' or 'www-data'?

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers
Thanks Visvanath, that's a different perspective. I'm not sure about everybody on Windows having superuser permissions as I don't think they do. In this case the question pertains to Linux that I'm running on a virtual machine, but I also have a WAMP on Windows 10 (one that I've created myself from the components installed individually) and configured Apache to run as a service - will need to see what permissions that has - however its only local to my own network as its a development environment, so I'm not so worried.

What I am interested in though is what production servers are configured to be in this context and why.
Average of ratings: -
In reply to Gareth J Barnard

Re: /var/www/moodle as 'root' or 'www-data'?

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
The scheme I described is the one in all my production servers. Of course it is not the only solution. True to Unix philosophy, if a question doesn't have multiple answers, it was not about Unix. smile

The reason for that scheme is, I can work in the shell 99% of the time as a non-privileged user (me). In exceptional cases, I can always get super user rights with su or sudo. On the "security" front, the "others" do not have any permission to the files (rw-r-----) and directories (rwxr-x---). But those "others" are either non-existent or trusted users on a production server. To whom would you give a shell account on your production server?
Average of ratings: -
In reply to Gareth J Barnard

Re: /var/www/moodle as 'root' or 'www-data'?

by Ken Task -
Picture of Particularly helpful Moodlers

+ 1 to both responses so far ... hosting and how hosting sets you up a factor.

Have been into serveral hosting services (TMD,OVH,RS,other) for 'customers' and can see why there can be no docs in moodle that would cover them all.

Case in point ... customer moving from shared hosting to VPS server as an example will have their user jail environment copied to the VPS.   When it comes to web server apps ... they end up with something like /home/customernameorid/public_html ... a user jail.

They could move it all to something more Linux Standards Base ... like apache ... /var/www/ but it's much easier to continue to do what they have done.    So ... that affects ownerships/permissions of anything.

Now as to what they should be ... try this for grins to see what happens:

make permissions on your config.php file look like r--r-----

Note above doesn't mention user ... just permissions.

'SoS', Ken


Average of ratings: -
In reply to Ken Task

Re: /var/www/moodle as 'root' or 'www-data'?

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
> make permissions on your config.php file look like r--r-----
>
> Note above doesn't mention user ... just permissions.

Ha, ha, ha! Was that Howard's Third principle, "Invest on Unix file permissions - You'll be a happy man"?

For those who raise eye brows, I am talking of https://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html.
Average of ratings: -
In reply to Visvanath Ratnaweera

Re: /var/www/moodle as 'root' or 'www-data'?

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers
Thank you to everyone who has replied so far. I've done some more searching and it does appear that the 'www-data' user and group is what is required. However, some really good points about restricting permissions too.

I've also dusted off a book on Apache Security that I forgot I had, so will see what's in there that may help with this. But perhaps pragmatically, the file and directory permissions are only one element of the 'onion' of security that you can wrap around the problem of securing your site.
Average of ratings: -