Proper Web Hosting Permissions Setup

Hey all,

I host a few smaller websites for people and I'm having some trouble working out how I want my permissions setup… I'm planning on setting them up with a SCP-only shell, as to prevent them from actually running commands.

The end goal is for every user to not be able to read ANY of the files of any other user's web directory. The exception being root of course.

I've heard good things about setting up users with their own directory in their home folder. This solves the problem of users seeing eachother's files. Each user could potentially have multiple domains names (meaning multiple htdocs folders), is it feasible to create the following folder structure?

/home/
`--- user1/
     `--- domain1.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/
     `--- domain2.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/
`--- user2/
     `--- domain3.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/
     `--- domain4.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/
     `--- domain5.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/
     `--- domain6.com/
          `--- htdocs/
          `--- logs/
          `--- random_aliased_folder/

Obviously apache needs full write permissions for logs/ and read permissions for htdocs/ and randomaliasedfolder/… It may also need write permissions to certain files (think htdocs/config.inc.php), if only temporarily. Will this make log rotation hard? IE logs/accesslog -> logs/accesslog.0908.gz…

How involved will something like this be? I'm planning on moving my /home directory over to my second partition, so I don't have to move stuff around if I redeploy.

Any light anyone could shed on this project would be helpful.

Thanks,

Smark

3 Replies

You should be able to do all that with proper configuration of apache. Though you should be aware that if you have a single instance of apache running all these web sites, it will be possible for your users to write php or perl scripts that could be invoked by apache to read data in other user's folders. That because the user "apache" that is running one users scripts is the same user that can read all the apache related files for all users.

You can get around that by having a different instance/copy of apache running for each user, each under a different apache ID. I don't think that puts much strain on the server.

But I think you can do what you want. See the VirtualHost directive.

@Neal:

You can get around that by having a different instance/copy of apache running for each user, each under a different apache ID. I don't think that puts much strain on the server.

Alternatively, you can use suPHP or run PHP under CGI/FastCGI - which is much simpler than having a different apache instance for each user!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct