Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AMI Linux 2023 - Webserver Permissions for Production

0

I'm setting up a new EC2 Instance with AMI Linux 2023. (I'm super new to Linux/AMI). I followed this tutorial on the AWS website: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-lamp-amazon-linux-2023.html. I'm little confused about the setup and permissions for var/www directory.

Here are my groups:

    [ec2-user ~]$ groups
    ec2-user adm wheel apache systemd-journal

The tutorial tells you the following: Change the group ownership of /var/www and its contents to the apache group.

    [ec2-user ~]$ sudo chown -R ec2-user:apache /var/www

Add group write permission

    [ec2-user ~]$ sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;

To add group write permissions, recursively change the file permissions of /var/www and its subdirectories:

  [ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;

Is it a security issue to add ec2-user to apache group, and add write permission to the apache group? Can this setup be used for production?

Themen
Kalkulation
Tags
Amazon EC2Linux
Sprache
English
Luke
gefragt vor 8 Monaten458 Aufrufe
2 Antworten
0

Hello.

"ec2-user" is the default user, so it is easily used for unauthorized logins.
Therefore, we recommend that you create a Linux user other than "ec2-user" and add it to the Apache group.
I also think it would be effective to set a password for a Linux user using the "passwd" command.

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 8 Monaten
0

Is it a security issue to add ec2-user to apache group, and add write permission to the apache group? Can this setup be used for production?

The documentation you provided states:

ec2-user (and any future members of the apache group) can add, delete, and edit files in the Apache document root, enabling you to add content, such as a static website or a PHP application.

Therefore the main purpose of changing the owner and the permissions for /var/www is for development and collaboration.

In production, granting write access by adding ec2-user to security group is not necessary a security issue if you need to dedicate deployment or hot-fix tasks to ec2-user. Generally, you should perform operational tasks using a user with lower privileges, and avoid to use root user if possible to mitigate risks.

profile picture
HS
beantwortet vor 8 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt