excalibur2013-05-15 22:03:28
excalibur, 2013-05-15 22:03:28

Apache, www-data, file and directory permissions?

The server has a directory /home/www/ which contains directories with sites:
/home/www/site1.com - the user user1 and www-data must have full access;
/home/www/site2.com - user2 and www-data must have full access;
/home/www/site3.com - user3 and www-data must have full access;
where www-data is apache2.
What groups and owners do I need to put on files and directories?
Apache creates logs for each site, i.e. text files where information is written, for example:
Users should not be able to see what is NOT in their directories.
Well, do I need to add users (user1-3, www-data) to other groups?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Nikolai Vasilchuk, 2013-05-16

Add www-data to the user1, user2 and user3 groups.
Make the directory owners user1, user2 and user3 respectively.
Set permissions to 770.

Alexey Sundukov, 2013-05-17

A little higher Anonym initially gave the wrong advice, but in the comments he himself pointed out what the mistake was. sledopit offers the correct option, but this requires server rights to allow installation of additional modules. There is also such an official module as suexec . But if we are talking about ordinary shared, then such a task cannot be solved in principle (unless the specified modules are already installed there).
But personally, I prefer the nginx + php-fpm + chroot bundle on my servers. For each site, workflows are run with site owner rights, let's say u1:u1. On the root directory of the site is 0710 and u1:nginx, on the folder log 0770/u1:nginx. All other files have permissions 0640/u1:u1, folders 0711/u1:u1. If the file is public, then it must belong to the nginx group. No php of one site can read anything in the files of another.

arbuzmaster, 2016-05-02

open console, write
password - enter root password
cd /
cd home/
chmod -R 770 www
cd www/
chown -R user1:www-data site1.com
chown -R user2:www-data site2.com
chown -R user3: www-data-site2.com

@sledopit, 2013-05-15

Look at apache-mpm-itk.
It allows you to run each virtual host as a separate user defined in the config without squatting with setfacl, common groups, etc.

truekenny, 2013-05-16

For php there is an open_basedir configuration parameter that allows you to restrict access to scripts inside certain directories.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question