By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AMI Linux 2023 - Webserver Permissions for Production

0

I'm setting up a new EC2 Instance with AMI Linux 2023. (I'm super new to Linux/AMI). I followed this tutorial on the AWS website: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-lamp-amazon-linux-2023.html. I'm little confused about the setup and permissions for var/www directory.

Here are my groups:

    [ec2-user ~]$ groups
    ec2-user adm wheel apache systemd-journal

The tutorial tells you the following: Change the group ownership of /var/www and its contents to the apache group.

    [ec2-user ~]$ sudo chown -R ec2-user:apache /var/www

Add group write permission

    [ec2-user ~]$ sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;

To add group write permissions, recursively change the file permissions of /var/www and its subdirectories:

  [ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;

Is it a security issue to add ec2-user to apache group, and add write permission to the apache group? Can this setup be used for production?

Topics
Compute
Tags
Amazon EC2Linux
Language
English
Luke
asked 7 months ago444 views
2 Answers
0

Hello.

"ec2-user" is the default user, so it is easily used for unauthorized logins.
Therefore, we recommend that you create a Linux user other than "ec2-user" and add it to the Apache group.
I also think it would be effective to set a password for a Linux user using the "passwd" command.

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
0

Is it a security issue to add ec2-user to apache group, and add write permission to the apache group? Can this setup be used for production?

The documentation you provided states:

ec2-user (and any future members of the apache group) can add, delete, and edit files in the Apache document root, enabling you to add content, such as a static website or a PHP application.

Therefore the main purpose of changing the owner and the permissions for /var/www is for development and collaboration.

In production, granting write access by adding ec2-user to security group is not necessary a security issue if you need to dedicate deployment or hot-fix tasks to ec2-user. Generally, you should perform operational tasks using a user with lower privileges, and avoid to use root user if possible to mitigate risks.

profile picture
HS
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content