View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Newbie question about permissions on Apache document root
Log in to Ask a Question

Newbie question about permissions on Apache document root

development

I'm a n00b here and I'm just setting up my new Linode for the first time.

I'm working though the guides to get a LAMP stack installed (using the Arch Linux 2012.07 distro - I'm most familiar with Arch from the desktop, so it seemed the best choice). I've got all the components working, with two virtual hosts (domain1.com and domain2.com) in respective document roots as follows:

/srv/http/domain1.com/public_html

/srv/http/domain2.com/public_html

Test HTML or PHP files in those directories work fine.

What I'm wondering about is the correct permissions, group and ownership of the files within the respective publichtml directories. I have added a normal user ('myuser') and would like to create and edit files in these directories when logged in as that user. What's the best way to go about this? Currently the directories are owned by root, in the http group, and the permissions are 755. Is it OK to change ownership recursively of the publichtml directory to be owned by myuser? Also, which groups should my_user be in?

Thanks in advance for any help. This process is a bit scary for someone not used to being a sysadmin, but it's exciting too!

4 Replies

Your public_html should be in your user's home directory. You will need to enable the userdir module in Apache. Exactly how you do this depends on the distro your are using. Restart Apache and make sure that your user's home directory has the "x" permission enabled, or userdirs won't work.

You should then be able to access the files in /home/youruser/pubic_html:

http://yourserver.com/~yourname

Since the files are in the own home directory, they showed be owned by you.

[Edit since you are using Arch]

See https://wiki.archlinux.org/index.php/Apache#User_dirs which gives full instructions for userdirs in Arch.

OK that makes sense. I had somehow got myself confused between the LAMP library guide for Arch and the general one.

Since I'm using VirtualHosts in Apache, and will want to have 2 or more domains under one of the users' home directories, should I do something like this:

~/publichtml/domain1.com/publichtml

~/publichtml/domain2.com/publichtml

and then point the DocumentRoot for each VirtualHost entry to the correct directory? Providing that I make ~ and ~/public_html executable, I'm assuming that should allow access to the subdirectories within each domain.

Thanks very much for your help.

I don't think that you can do what you want using userdirs. I suggest that for each vhost you create a directory under the main web root. Here's a snippet from one of my vhosts. Users will then need to upload their files to the directory, so you need to set file permissions to let them do that. One way to do that is to add your users to the httpd group. However, that will let them upload to any of the vhosts, which may not be what you want.

Another possibility is to chown the vhost directory to the user.group who will be using it. I am not sure what the security implications of this are, so maybe someone else will advise.

 <virtualhost 109.74.196.44:80="">ServerAdmin webmaster@wilkesley.org
    ServerName http://www.wilkesley.org
    ServerAlias wilkesley.org

    DocumentRoot /srv/http/vhosts/wilkesley.org/
    <directory srv="" http="" vhosts="" wilkesley.org="">Options Indexes FollowSymLinks MultiViews
        AllowOverride All
    Order allow,deny</directory></virtualhost>

I've just tried adding my own user account (bsag) to the http group, and then using chmod to make the relevant publichtml directory in /srv/http/domain1.com writeable by the group. The publichtml directory is owned by root and the group is set as http. That allows me to SFTP files there while logged in as bsag, and it seems to work as far as serving the HTML files. I'll wait to hear from others about whether that's a bad idea security-wise. I think I could live with others being able to upload to any vhost, as there are probably other ways I could get around that, and these are people I know and trust.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct