Proper Web Hosting Permissions Setup
I host a few smaller websites for people and I'm having some trouble working out how I want my permissions setup… I'm planning on setting them up with a SCP-only shell, as to prevent them from actually running commands.
The end goal is for every user to not be able to read ANY of the files of any other user's web directory. The exception being root of course.
I've heard good things about setting up users with their own directory in their home folder. This solves the problem of users seeing eachother's files. Each user could potentially have multiple domains names (meaning multiple htdocs folders), is it feasible to create the following folder structure?
/home/
`--- user1/
`--- domain1.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
`--- domain2.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
`--- user2/
`--- domain3.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
`--- domain4.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
`--- domain5.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
`--- domain6.com/
`--- htdocs/
`--- logs/
`--- random_aliased_folder/
Obviously apache needs full write permissions for logs/ and read permissions for htdocs/ and randomaliasedfolder/… It may also need write permissions to certain files (think htdocs/config.inc.php), if only temporarily. Will this make log rotation hard? IE logs/accesslog -> logs/accesslog.0908.gz…
How involved will something like this be? I'm planning on moving my /home directory over to my second partition, so I don't have to move stuff around if I redeploy.
Any light anyone could shed on this project would be helpful.
Thanks,
Smark
3 Replies
You can get around that by having a different instance/copy of apache running for each user, each under a different apache ID. I don't think that puts much strain on the server.
But I think you can do what you want. See the VirtualHost directive.
@Neal:
You can get around that by having a different instance/copy of apache running for each user, each under a different apache ID. I don't think that puts much strain on the server.
Alternatively, you can use suPHP or run PHP under CGI/FastCGI - which is much simpler than having a different apache instance for each user!