vhost directory and file permissions
I set these directories up as root, and then used chown to change the user to myself and the group to www-data. I am looking for an easy way to manage the permissions and groups of all of my web content. Every time I create a file or directory will I have to run chmod and chown to set the permissions?
What are some of the best practices for setting up virtual host directories and files?
6 Replies
@Beek:
What is the purpose of chowning stuff to www-data?
I'm not sure. That is what the User and Group directives in Apache are set to, I'm not real clear on what the significance of these are.
If I own the access.log file and have it set to my default group will Apache be able to write to it?
You have to be careful with the permissions of log files, since Apache writes to them as root (and www-data or whatever user you have set in httpd.conf). See
For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.
@Beek:
Okay, I'm a little confused about what is going into these directories… I think people conventionally public content that will be served by apache in /var/www, while log files go to some subdirectory of /var/www
In each /var/www/vhost directory, I have directories for htdocs, cgi-bin, and other content. I also put a log directory in here for the access and error logs for each vhost.
@Beek:
For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.
I want a seperate log for each vhost. Is it better to put them somewhere under /var/log as opposed to /var/www? What do I need to do to get logrorate to rotate the new logs?
@edwaldspurger:
@Beek:For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.
I want a seperate log for each vhost. Is it better to put them somewhere under /var/log as opposed to /var/www? What do I need to do to get logrorate to rotate the new logs?
It is a potential security risk to have the logs in that directory if they aren't owned by root, or if any of the parent directories aren't owned by root. And you can still have separate logs for each vhost. My logs for each vhost are named /var/log/www/vhostnameaccess.log, /var/log/www/vhostnameerror.log, etc… To get them under logrotate's control, I created /etc/logrotate.d/httpd with this content:
/var/log/www/*.log {
missingok
daily
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true;
endscript
}
Of course it would need some adjustment for your setup.