Data from the Web

File uploads need to be stored in directories. Other data needs to be stored in databases. This is only possible with certain combinations of permissions and ownerships on these directories and files. Some configurations may allow the uploads but they may make themselves to unwanted access and therefore be insecure.

Although changing file permissions allows data from the web to be stored, I think it is more secure to only change the ownership of the directory and / or file to the user that the web server runs as. For Apache on Ubuntu this is www-data.

SQLite

In this case the directory that the SQLite database is in and the database file itself should have their ownership changed to www-data. To do this use cd to navigate to the directory which contains the database file. I normally call this directory sqlite. Now use ls -la to check the permissions and ownerships:

navigate to and list directory containing the database

myproject/sqlite$ ls -la
total 461024
drwxrwxr-x  2 ubuntu ubuntu      4096 Dec  7 00:28 .
drwxrwxr-x 10 ubuntu ubuntu      4096 Dec  5 23:28 ..
-rw-r--r--  1 ubuntu ubuntu 472076288 Dec  7 00:28 database.db

Then use chown to change the ownership and then ls -la again:

changing file and directory ownerships

myproject/sqlite$ sudo chown www-data:ubuntu . ./database.db
myproject/sqlite$ ls -la
drwxrwxr-x  2 www-data ubuntu      4096 Dec  7 00:28 .
drwxrwxr-x 10 ubuntu ubuntu      4096 Dec  5 23:28 ..
-rw-r--r--  1 www-data ubuntu 472076288 Dec  7 00:28 database.db

File Uploads

This is very similar to the situation with SQLite except that only the ownership of the directory in which the uploaded files are to be kept needs to be changed. If the files were to be stored in a directory called photos inside a directory called media, navigate to media and from there change the ownership of photos

changing directory ownership for file uploads

myproject/media$ ls -la
total 24
drwxrwxr-x  6 ubuntu ubuntu 4096 Aug 30 21:38 .
drwxrwxr-x 10 ubuntu ubuntu 4096 Dec  5 23:28 ..
drwxrwxr-x  2 ubuntu ubuntu 4096 Aug 30 21:36 originals
drwxrwxr-x  2 ubuntu ubuntu 4096 Aug 30 21:38 thumbnails

Now change the ownerships and list again:

changing directory ownership for file uploads

myproject/media$ sudo chown www-data:ubuntu ./originals ./thumbnails
myproject/media$ ls -la
total 24
drwxrwxr-x  6 ubuntu   ubuntu 4096 Aug 30 21:38 .
drwxrwxr-x 10 ubuntu   ubuntu 4096 Dec  5 23:28 ..
drwxrwxr-x  2 www-data ubuntu 4096 Aug 30 21:36 originals
drwxrwxr-x  2 www-data ubuntu 4096 Aug 30 21:38 thumbnails

Issues

Now that the ownership of these directories and files has changed there may be some things which need to be considered when using them in a different context than through Apache which is the new owner. One example is that if the SQLite database is used via the sqlite3 command line interface program it will only be possible to do read operations. If it is required to write to the database as required for creating tables adding or changing data then the ownership needs to be restored to ubuntu in order to do so.