Advise on Apache and file permissions..
Looking for some advice on file permissions with apache and the best way to make things work..
Currently I have 5 sites on my server.. I use apache with mod_fcgid to run php..
My typical setup till now involved creating a user account for each domain name with a public_html file in the home directory then through suexec running php as that user/group which meant file permissions were never an issue (my guess is this isn't the best in terms of security?)..
Apart from the potential security issues of all web files being writeable I have another issue in that each "site" is spawning its own php processes under its own username.. Not very memory efficient!!
So I want to change the setup so that all apache and php processes run under the default www-data user.. This will mean php processes are shared between sites meaning less memory usage..
At the same time I want to only have the web server user able to write to the "files" directory with read only to all other files.. Finally I would like an developers to be able to winscp into the "sites" home directories and edit or upload files and still have them run correctly on the site without having to fiddle with permissions..
So really the question is how to manage file permissions and user/group settings for files?
Is it best to add the www-data user to the "site" user's groups?
Is it better to set the group ownership of all files to www-data?
Is setting the "setgid" options the way to make sure permissions are maintained so the webserver can access the files?
When files are uploaded from a website they will obviously have user and group permissions of www-data, how would I allows developers access to those files? Do you have to add the "site" users to the www-data group?
Sorry if this have been answered a million times i just couldn't fine a definitive answer/guide on the best way to set it all up..
Thanks for any advice..
1 Reply
@wipeout:
Currently I have 5 sites on my server.. I use apache with mod_fcgid to run php..
My typical setup till now involved creating a user account for each domain name with a public_html file in the home directory then through suexec running php as that user/group which meant file permissions were never an issue (my guess is this isn't the best in terms of security?)..
I use suEXEC because it is actually more secure than having everything readable/writable by the apache user. This way each website/user can only write read/write from their own PHP files. This matters, especially since many PHP config scripts include a database username/password. I've never had a memory issue, but then my websites aren't massively busy. You can reduce the memory by a) reducing the number of PHP processes that fcgid spawns for each website, and b) reducing the PHP memory limit in php.ini.
If you don't like using suEXEC, what must people do is give each website its own user/group (as you have already done). The only change is that the folders/files which you would like PHP to be able to write to has to be world-writable.
@wipeout:
When files are uploaded from a website they will obviously have user and group permissions of www-data, how would I allows developers access to those files? Do you have to add the "site" users to the www-data group?
I've always used suEXEC so I haven't though of this before, I'm sure others will be able to help. What you could do is run a cron script to make sure the permissions of newly uploaded files are correct.