File/folder permissions and groups on Linux with Apache
- by phobia
I'm trying to learn about permissions on linux webserver with apache.
Some clues to the system:
The server I have to play around with is Fedora based. Apache runs as apache:apache. To allow for e.g. php to write to a file the file needs to be chmod 777. 755 is not sufficiant.
What I'm wondering is basically how set up permissions like they should be on e.g. a "shared web host".
My main problem is that if I set a permission so that one user cannot access anothers home folder, then apache can't read from the public_html folder either.
To keep the users out I need to set chmod 700. But to let apache to read I need to have at least execute on world, so a 701 basically works, but won't let some users in.
So I'm really stuck on what to do. Have been concidering adding the apache user to the frous grours below to avoid having to add the world execute flag, but is that a bad thing? Should it be the other way around, the users in the groups below should also be in the apache group?
I was aiming at having 4 groups:
1. webapp
same as dev_int, but is the only one that can go inside the webapp/live folder to e.g. do an update from the repo.
2. dev_int
can read,write and execute everything in the "web root", including the two below, but nothing outside of the web root
3. dev_ext
can read write and execute in all client folders, but cannot access anything outside of the webapp root
4. clientsBasic ftp accounts. Has a home folder with a public_html, but cannot access any other home folders
An example of folder structure:
webroot no users in the aforementioned groups can go outside of here
some_project :dev_int only
webapp
live :webapp only
staging :dev_int and :dev_ext
clients :dev_int and :dev_ext
client_1 :dev_int, :dev_ext and client1:clients
public_html
dev
developer_1 developer_1:dev_int OR :dev_ext
public_html