Menu
I just set up my first instance of AWS EC2 server and I'm running into an issue with permissions on a script uploading pictures. 'var/www' (and all subdirectories) owner is 'ec2-user' however the apache server is running as 'apache'. Therefore all directories created dynamically by the php script (using mkdir) have 'apache' as the owner (which it seems doesn't have write permissions) I could certainly change the apache user to 'ec2user' but I'm worried that might be a security risk. What's the correct way of doing this? Thanks for your help.
775
You can use IAM to control how other users use resources in your AWS account, and you can use security groups to control access to your Amazon EC2 instances. You can choose to allow full use or limited use of your Amazon EC2 resources.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.
Open the Amazon EC2 console, and then add tags to the group of EC2 instances that you want the users or groups to be able to access. If you don't already have a tag, create a new tag. Note: Be sure to read and understand the tag restrictions before tagging your resources. Amazon EC2 tags are case-sensitive.
To set file permissions for the Apache web server
1- Add the www group to your EC2 instance with the following command:
[ec2-user ~]$ sudo groupadd www
2- Add the ec2-user user to the www group:
[ec2-user ~]$ sudo usermod -a -G www ec2-user
3- To refresh your permissions and include the new www group, log out:
[ec2-user ~]$ exit
4- Log back in again and verify that the www group exists with the groups:
[ec2-user ~]$ groups
> ec2-user wheel www
5- Change the group ownership of the /var/www directory and its contents to the www group:
[ec2-user ~]$ sudo chown -R root:www /var/www
6- Change the directory permissions of /var/www and its subdirectories to add group write permissions and set the group ID on subdirectories created in the future:
[ec2-user ~]$ sudo chmod 2775 /var/www
[ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} +
7- Recursively change the permissions for files in the /var/www directory and its subdirectories to add group write permissions:
[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} +
This is a pure Linux permission problem, not an AWS problem. I just created an Amazon Linux instance and verified permissions in /var
[ec2-user@ip-1-1-1-174 ~]$ ls -ald /var/www
drwxr-xr-x 7 root root 4096 Oct 22 23:34 /var/www
As you see, ownership is root and not ec2-user. You should understand first what / why you see permission on /var/www/ to ec2-user
Should need to change the owner of that directory again, you can type :
chown -R root:root /var/www
It is not a best practice to let your web server (httpd) write to /var/www nor to run that process with elevated privileges (such as root).
Should your app really write to the local storage, use a different volume, mounted in a separate directory, where no executable are available.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
