vhost directory and file permissions

I am running Debian small and have Apache2 installed. I have a couple of web sites I run using named virtual hosts. These are in /var/www/name.of.vhost1, /var/www/name.of.vhost2, etc.

I set these directories up as root, and then used chown to change the user to myself and the group to www-data. I am looking for an easy way to manage the permissions and groups of all of my web content. Every time I create a file or directory will I have to run chmod and chown to set the permissions?

What are some of the best practices for setting up virtual host directories and files?

6 Replies

What is the purpose of chowning stuff to www-data? Unless you have a reason otherwise, chown it to your default group. Then you can work with files inside the directory without having to manage permissions.

@Beek:

What is the purpose of chowning stuff to www-data?

I'm not sure. That is what the User and Group directives in Apache are set to, I'm not real clear on what the significance of these are.

If I own the access.log file and have it set to my default group will Apache be able to write to it?

Okay, I'm a little confused about what is going into these directories… I think people conventionally public content that will be served by apache in /var/www, while log files go to some subdirectory of /var/www

You have to be careful with the permissions of log files, since Apache writes to them as root (and www-data or whatever user you have set in httpd.conf). See http://httpd.apache.org/docs/1.3/misc/s … serverroot">http://httpd.apache.org/docs/1.3/misc/security_tips.html#serverroot

For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.

@Beek:

Okay, I'm a little confused about what is going into these directories… I think people conventionally public content that will be served by apache in /var/www, while log files go to some subdirectory of /var/www

In each /var/www/vhost directory, I have directories for htdocs, cgi-bin, and other content. I also put a log directory in here for the access and error logs for each vhost.

@Beek:

For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.

I want a seperate log for each vhost. Is it better to put them somewhere under /var/log as opposed to /var/www? What do I need to do to get logrorate to rotate the new logs?

@edwaldspurger:

@Beek:

For my server, I have all the apache logs in /var/log/www, and that directory is only readable and writable by root. When logrotate runs, the old logs get moved to another directory that is world readable.

I want a seperate log for each vhost. Is it better to put them somewhere under /var/log as opposed to /var/www? What do I need to do to get logrorate to rotate the new logs?

It is a potential security risk to have the logs in that directory if they aren't owned by root, or if any of the parent directories aren't owned by root. And you can still have separate logs for each vhost. My logs for each vhost are named /var/log/www/vhostnameaccess.log, /var/log/www/vhostnameerror.log, etc… To get them under logrotate's control, I created /etc/logrotate.d/httpd with this content:

/var/log/www/*.log {
  missingok
  daily
  notifempty
  sharedscripts
  postrotate
        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true;
  endscript
}

Of course it would need some adjustment for your setup.

Thank you for all the help Beek!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct