EC2 user permissions

6
votes

I just set up my first instance of AWS EC2 server and I'm running into an issue with permissions on a script uploading pictures. 'var/www' (and all subdirectories) owner is 'ec2-user' however the apache server is running as 'apache'. Therefore all directories created dynamically by the php script (using mkdir) have 'apache' as the owner (which it seems doesn't have write permissions) I could certainly change the apache user to 'ec2user' but I'm worried that might be a security risk. What's the correct way of doing this? Thanks for your help.

4
amazon-web-servicesamazon-ec2permissions
If the answer below is correct, can you mark it as such ? This would help other customers having the same question and looking for answers. Thanks - Sébastien Stormacq
The answer is correct though it didn't solve my problem but thanks anyway! - Arbiz

4 Answers

13
votes

To set file permissions for the Apache web server

1- Add the www group to your EC2 instance with the following command:

[ec2-user ~]$ sudo groupadd www

2- Add the ec2-user user to the www group:

[ec2-user ~]$ sudo usermod -a -G www ec2-user

3- To refresh your permissions and include the new www group, log out:

[ec2-user ~]$ exit

4- Log back in again and verify that the www group exists with the groups:

[ec2-user ~]$ groups
> ec2-user wheel www

5- Change the group ownership of the /var/www directory and its contents to the www group:

[ec2-user ~]$ sudo chown -R root:www /var/www

6- Change the directory permissions of /var/www and its subdirectories to add group write permissions and set the group ID on subdirectories created in the future:

[ec2-user ~]$ sudo chmod 2775 /var/www
[ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} +

7- Recursively change the permissions for files in the /var/www directory and its subdirectories to add group write permissions:

[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} +
8
votes

This is a pure Linux permission problem, not an AWS problem. I just created an Amazon Linux instance and verified permissions in /var

 [ec2-user@ip-1-1-1-174 ~]$ ls -ald /var/www
 drwxr-xr-x 7 root root 4096 Oct 22 23:34 /var/www

As you see, ownership is root and not ec2-user. You should understand first what / why you see permission on /var/www/ to ec2-user

Should need to change the owner of that directory again, you can type :

 chown -R root:root /var/www

It is not a best practice to let your web server (httpd) write to /var/www nor to run that process with elevated privileges (such as root). Should your app really write to the local storage, use a different volume, mounted in a separate directory, where no executable are available.

1
votes

If you are using Amazon Linux 2 AMI then steps are different

To allow the ec2-user account to manipulate files in this directory, you must modify the ownership and permissions of the directory. There are many ways to accomplish this task. In following steps, you add ec2-user to the apache group, to give the apache group ownership of the /var/www directory and assign write permissions to the group.

To set file permissions

Add your user (in this case, ec2-user) to the apache group.

[ec2-user ~]$ sudo usermod -a -G apache ec2-user

Log out and then log back in again to pick up the new group, and then verify your membership. Log out (use the exit command or close the terminal window):

[ec2-user ~]$ exit

To verify your membership in the apache group, reconnect to your instance, and then run the following command:

[ec2-user ~]$ groups
ec2-user adm wheel apache systemd-journal

Change the group ownership of /var/www and its contents to the apache group.

[ec2-user ~]$ sudo chown -R ec2-user:apache /var/www

To add group write permissions and to set the group ID on future subdirectories, change the directory permissions of /var/www and its subdirectories.

[ec2-user ~]$ sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;

To add group write permissions, recursively change the file permissions of /var/www and its subdirectories:

[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;

Now, ec2-user (and any future members of the apache group) can add, delete, and edit files in the Apache document root, enabling you to add content, such as a static website or a PHP application.

How to setup Amazon Linux 2 LAMP, full details are here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-lamp-amazon-linux-2.html

-1
votes

I had problems with the permission on /etc/ folder, so I did this, as in the first answer

[ec2-user ~]$ sudo groupadd www
[ec2-user ~]$ sudo usermod -a -G www ec2-user
[ec2-user ~]$ exit
[ec2-user ~]$ groups
> ec2-user wheel www
[ec2-user ~]$ sudo chown -R root:www /etc/
[ec2-user ~]$ sudo chmod 2775 /etc/
[ec2-user ~]$ find /etc/ -type d -exec sudo chmod 2775 {} +
[ec2-user ~]$ find /etc/ -type f -exec sudo chmod 0664 {} +

Basically: added the group www, set ec2-user as member of www, and changed the ownership of all /etc/ directory to group www. Well, I know it was an error.

But now I cant sudo anything, getting the message:

sudo: /etc/sudoers.d is owned by gid 501, should be 0

And I really need to start the apache service.

The thing is, I changed the owner of all /etc/ to the group www, which is a group I (ec2-user) belong. Why cant I sudo?

It asks for ec2-user password, which I dont have, because I login in ssh using the private key. I have never set a password, and all the trivial ones, dont work.

Some details and failed attempts:

  • I cant change the sudoers.d file
  • I cant change the chown
  • I cant sudo anything!

I tried changing sudoers ownership, but I cant:

[ec2-user ~]$ chown 0 /etc/sudoers
chown: changing ownership of ‘/etc/sudoers’: Operation not permitted

How can I fix that, please?