I'm trying to learn about permissions on linux webserver with apache.
Some clues to the system:
The server I have to play around with is Fedora based. Apache runs as apache:apache. To allow for e.g. php to write to a file the file needs to be chmod 777. 755 is not sufficiant.
What I'm wondering is basically how set up permissions like they should be on e.g. a "shared web host".
My main problem is that if I set a permission so that one user cannot access anothers home folder, then apache can't read from the public_html folder either.
To keep the users out I need to set chmod 700. But to let apache to read I need to have at least execute on world, so a 701 basically works, but won't let some users in.
So I'm really stuck on what to do. Have been concidering adding the apache user to the frous grours below to avoid having to add the world execute flag, but is that a bad thing? Should it be the other way around, the users in the groups below should also be in the apache group?
I was aiming at having 4 groups:
1. webapp
same as dev_int, but is the only one that can go inside the webapp/live folder to e.g. do an update from the repo.
2. dev_int
can read,write and execute everything in the "web root", including the two below, but nothing outside of the web root
3. dev_ext
can read write and execute in all client folders, but cannot access anything outside of the webapp root
4. clients
Basic ftp accounts. Has a home folder with a public_html, but cannot access any other home folders
An example of folder structure:
- webroot no users in the aforementioned groups can go outside of here
- some_project :dev_int only
- webapp
- live :webapp only
- staging :dev_int and :dev_ext
- clients :dev_int and :dev_ext
- client_1 :dev_int, :dev_ext and client1:clients
- public_html
- client_1 :dev_int, :dev_ext and client1:clients
- dev
- developer_1 developer_1:dev_int OR :dev_ext
- public_html
- developer_1 developer_1:dev_int OR :dev_ext
No comments:
Post a Comment