security advice debian www-data
 

hey there
i am running debian-sarge.
i am using it to virtually host a few websites. One of them, i just installed
joomla on ( a content management system ) the ownership of the directory was given to user billy, but the installation needed to be able to write to some files in the web_root directory (owned by billy) and the user www-data that apaceh runs under would gimme a no-go. Now i changed the ownership of the web_root to www-data and it installed fine, but now billy will not be able to edit his content from ftp, or ssh or whatever now. So what do i do to overcome this. Do i add www-data to the billy group, or do i add billy to the www-data group ?. I did a chmod 755 on the directory, was this a mistake ?
sorry to sound a bit paranoid or pannicked, but i am a bit paranoid about it.

thanks for any tips.

There are many alternatives, but here are my suggestions:

Since the joomla system is only used on one (or some) of your hosted sites, it should never have full access to the web-root (=the root directory of all sites), since it would then have the possibility to change/erase the contents of the other sites. It may have full access to the root directory of the sites that you use it for, however. You should look into the Apache and/or Joomla configuration for how to set this up properly.

I would also recommend using permissions like "770" or "2770", not "755", and creating only one group (not "billy" AND "www-data"). The name of that group is relatively unimportant.
The root directory of the Joomla websites would then be owned by that group and get those permissions, making the directory be fully accessible by both your "www-data" and "billy" users. Non-joomla sites would be owned by a different group, to which "billy" does not belong.

ok, so far, i have all the web roots under the directory /var/www
like this
/var/www/somesite1
/var/www/somesite2
/var/www/somesite3

each directory of somesites has a web_root directory that is the web root
like this
somesite1 web-root = /var/www/somesite1/web_root
billy has his home directory as /var/www/somesite1
so when he uses vsftpd he can upload his files. The problem i was having was that once billy uploaded files, they became unwritable by www-data.
so according to your advice, do somesite1, somesite2, and somesite3 have different owners than the user names and www-data.

thanks for your response by the way.

So, somesite1 uses Joomla, and the other sites don't, right?
I don't really see why billy's home directory has to be /var/www/somesite1. What if you want to start using Joomla on another site as well?

The FTP permissions are a completely different story and should be addressed separately as well.
There are many ways to allow uploads to the directory /var/www/somesite1 for a specific user, besides creating a "real" user with his home directory on /var/www/somesite1. In my opinion, your FTP setup is not ideal for you and should be tweaked further.

To address the file permissions issue:
When billy uploads files, they are owned by him and get default permissions, which may or may not include group access (depending on the "umask" settings, for instance).
A "chmod 2770" of the directory could help, as this forces group ownership for newly created files/directories.
However, "billy" could still remove this group access, since he owns the files/directories.
You could then make "www-data" part of that group to give the "www-data" user full access as well.

So, in short, the real problem is the ownership by the "real" user "billy".
The question you need to ask yourself is this: does the user really need to create/delete files by using Joomla (ie via the website)? Or only modify existing files? (regardless of the file upload via FTP)
In the latter case, "billy" should not own any directory or file, only get write access on the files via the group permissions (+read-only access on directories) and the FTP configuration needs to be changed.
The first case requires an entirely different approach.