Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

binggle's avatar

is it safe to set primary group as 'www-data' for user ?

I have ownership problem on writing logs.

My linux login account id is 'mylaraveluser'.

I added www-data group on 'mylaraveluser' account.

sudo usermod -a -G www-data mylaraveluser

I set daily channel in config/logging.php .

And it makes log file everyday

    'channels' => [
        'stack' => [
            'driver' => 'stack',
            'channels' => ['daily'],
            'ignore_exceptions' => false,
        ],

I do this for permission work on Larave app


sudo chgrp -Rf www-data storage bootstrap/cache
sudo chmod -Rf ug+rwx storage bootstrap/cache

So storage folder has this ownership

'mylaraveluser:www-data'

That is fine when the nginx create log file first everyday.

as like 'laravel-2023-01-15.log'

But if the Command runs and write contents on log file earlier than nginx write something,

the 'laravel-2023-01-15.log' file has 'mylaraveluser:mylaraveluser' ownership.

It make nginx can not write on log file.

Should I make my 'mylaraveluser' account has www-data group as primary?

So all laravel files should have 'mylaraveluser:www-data' permission ?

Is it safe from attack ?

how do you guys think about this ?

0 likes
7 replies
OussamaMater's avatar

Well as long as the mylaraveluser is not a privileged user you should be safe, the approach is the following if you want a secure deployment:

Use www-data because it's a low privileged user, it's the web user, and by default it has no shell, if you check the passwd file you'll find that www-data has /usr/sbin/nologin or /bin/false (depending on the distribution you are using) as its shell, so if a hacker found any vulnerability that leads to RCE (remote code execution), which is scariest one, for example LFI to RCE or any attacks, it can't really do much, as www-data is unable to spawn a shell, or if it does it will be refused automatically.

So use a low privileged user, make sure that user has a very limited scope of permissions and files, in your case ONLY the files related to the Laravel app that you need to read from or write to, to prevent any lateral movement or privilege escalation, and to be even safer make sure to set its shell as /usr/sbin/nologin, this way you are kind of safe (because we are never safe), plus making sure your code is well tested against some known vulns is always helpful, here is a helpful list of examples I encountered:

  • If you are accepting input from the user make sure your sanitizing that input to prevent SQLi or stored XSS.
  • If your app uses a local service, or accepts user input to consume an API or whatever, make sure to whitelist a certain domains to prevent SSRF attacks.
  • If you provide some data based on the user make sure to use policies or gates to authorize actions so you prevent IDOR and similar attacks.
  • Make sure you turn off the debug functionality so you don't leak any information about your code.

The list goes on..

The comment is based on my experience building/breaking web application for CTF challenges :) you definitely need to do your own research, and I would love to answer you if you have any questions.

3 likes
binggle's avatar

@OussamaMater

hi . Thanks for reply.

I think that your tips / examples to protect attack is for defending attack outside web page. .

My concern is this.

Even after hacker penetrated my web page, I would like the hacker not to use my account console ability.

So I am asking if 'mylaraveluser:www-data' permission to all laravel folders not only storage/cache folder would be safe.

OussamaMater's avatar

@binggle I already covered that if you read my response carefully.

Use www-data because it's a low privileged user, it's the web user, and by default it has no shell, if you check the passwd file you'll find that www-data has /usr/sbin/nologin or /bin/false (depending on the distribution you are using) as its shell, so if a hacker found any vulnerability that leads to RCE (remote code execution), which is scariest one, for example LFI to RCE or any attacks, it can't really do much, as www-data is unable to spawn a shell, or if it does it will be refused automatically.

A hacker won't be able to use console ability if both mylaraveluser and www-data have a /usr/sbin/nologin as their shell, and I also mentioned that they don't need any privileges other than reading and writing Laravel files (it's okay to have them own ALL folders and files not only storage/cache) :)

3 likes
binggle's avatar

@OussamaMater

Thanks for reply again.

I wonder when my account is modified to 'nologin', how can I test console command ?

And does '/usr/sbin/nologin' allow file upload through vsftp ( I mean sftp package in VSCode ) ?

I wonder if have to change my development environments .

Can you share how to test console command ( job , cron )?

Don't you use Local Editor and not upload files via sftp/ftp?

OussamaMater's avatar
OussamaMater
3 years ago
Best Answer
Level 37

@binggle you need to understand that in Linux you have 3 operations:

  • read
  • write
  • execute

when you upload something via ftp or any protocol you wish, you are writing, so the question is, do you have permission as the current user to write to that directory? well in your case yes, so you should be good to go, and the /usr/sbin/nologin has nothing to do with the uploading, same goes for downloading, is the file/directory, readable by that user? if so then you can download that file, and same analogy for executing, it's nothing but a file, is that file marked as executable and the current user has permissions to do so? if so then you are good to go.

now as for the managing, when you connect via ssh (make sure you disable password login, and allow login ONLY via keys (public/private)), you need to do the managing using a different user rather than the webmaster, usually a sudoer user that has enough privileges.

And you don't need to change your development environment, I mean why would? hopefully you understood what I mean after reading the reply above :)

hopefully this gives you a better idea, tried to simplified the workflow as much as I could :)

1 like
binggle's avatar

@OussamaMater

I feel your comments does not go straight ahead, but understandable.

Maybe I have make all laravel app folder have ownership by 'www-data:www-data' and 'mylaravelid' should be used for console and sftp upload work.

I will try it. thanks.

OussamaMater's avatar

@binggle that works too, well I try to give you a lot of details that's why you feel like it's not straight ahead, my bad :)

and you can use www-data for sftp, you don't need a shell for that, all you need is READ/WRITE permissions, maybe this article will help you understand better

again what you proposed works as well, if it makes sense to you.

1 like

Please or to participate in this conversation.