Hello,
Is there a 'correct' way to set permissions on /var/www/example.com such
that I can have a specific user write to that folder, and have apache
use it for the Virtual Host example.com? I am running Apache 2.2 on
Debian 5 (Lenny).
While searching for a solution, the only relevant result I've found is
<http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-var>
but that is from 2009 and I don't know if there's a better way now.
Here's a summary of what I've gathered is a way to do this (but I'm not
just trying it out because I don't want to create a hole that I forget
to fix while undoing everything):
1. Create a new group `www-examplecom` and add the users
`example-editor` and `www-data` to it. The former is the regular user I
want to have access to the files for that Virtual Host and the latter is
the Apache user which may need to upload files using PHP.
2. Change ownership of `/var/www/example.com` to `root:www-examplecom`
3. Change permissions of `/var/www/example.com` directory (and
subdirectories) to 0775 to give owner and group read/write/execute and
then to 2775 to set SetGID to ensure files created under
`/var/www/example.com` are created under `www-examplecom`
4. Change permissions of files under `/var/www/example.com` to 0664 to
read/write for users.
5. Change umask for user `example-editor` to 0002 so that files are
created by him in a way that allows them to be edited by the group as
well.
6. Set umask in the PHP program to 0002 so that files are created by
user `www-data` in a way that allows them to be edited by the group as
well.
You might wonder why I need to give `example-editor` access to this
host. Quite simply, I have a friend who I agreed to host and I need him
to be able to write to this folder on his own. However, I don't want him
doing something foolish and killing us all, so I can't just give him the
root password.
Is this the right way to go about things?
Regards,
--
Roshan George <roshan at arjie.com>
