I ran in to chmod permission problems so I just made the entire
directory accessible to users other than root, but is this secure
No, this is definitely not secure. Now everyone has access to your database.
probably I should create a separate group for the www access and root
access and only allow that group of root and www to access the folder
You need to do the following, but this should already be taken care of by the package manager for your distribution:
- Create a user that will be used to run the web server.
- Launch the webserver as root (you have to do this, since it will listen on ports < 1024), and then
switch the process to the user you created in #1
- Make sure any static assets (javascript files, css files, images, stylesheets, etc.) are read only for this user, have read write access for your own user, and all others have read access only.
Your code should be in a separate directory, only accessible by your own user and NOT accessible by the web server process.
Under no circumstances, should you EVER do any of the following:
- Change your permissions to
777 for any directory that is used in your web application
- Put your code in the same directory which you use for your static files.
