LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-21-2009, 06:23 AM   #1
XeroXer
LQ Newbie
 
Registered: Jun 2008
Location: Västerås, Sweden
Distribution: Arch Linux, Debian, Ubuntu
Posts: 21

Rep: Reputation: 16
Question Setting up apache2 and vsftpd with correct permissions


Hi all!

I have been having some problems setting up my webserver.
I have installed apache2 and vsftpd and I'm trying to setup the web folder permissions.

Right now all my pages are stored in /var/www and then a folder named after the vhost, ex: /var/www/www.example.com
The owner of the folder is root:root and then via acl I added my user (xeroxer:xeroxer), the vsftpd user (ftp:nogroup) and the apache2 user (www-data:www-data) with rwx permissions.

This setup works for my user since I get acccess to all the files with all permissions, so via ssh I can edit all the sites content.
The vsftpd user is setup so a user with the name www.example.com is created with the dir /var/www/$USER.
This makes the vsftpd user unique for every vhost and the vsftpd user has full permission over the folders and files.

Now to the problem:
The www-data user is used for every vhost and the permissions is maxed out. With makes the problem with the page www.example.com can access the files for www.example2.com because it has full permission for those files to.
It also creates the problem with making files not writable, as in config files. Because the acl permissions is set to rwx the user always has full access, and if you configure the chmod as the vsftpd user no changes are made for the www-data user.

Now I don't know the best web setup for this but many webhosts seem to make it work.
The only way I can think of is for every vhost you create a server user with a homedir:
vhost: www.example.com
user: www.example.com
homedir: /home/www.example.com
Then you somehow make it so that the webserver uses the user permissions (www.example.com:www-data) for that folder.
And somehow you also configure the vsftpd user to be www.example.com with the exact same permissions as the apache2 user.
I don't know if this is possible or if it's a good solutions, just the only way I could think of right now.

Maybe someone knows a good setup to use for my webserver or agree that this is a good setup and can help me solve the remaining problems.

Right now all my configuration is stored in files and maybe someone has some ideas on how to store it in a mysql database instead, making it so much easier to control via a webpanel.

Thanks in advance...
 
Old 06-03-2009, 08:27 AM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I don't know if it's a good setup, but I use it like that on an intranet. The reason is that I don't (didn't) exactly know how to give users permissions on /var/www without compromising security.

My tree looks like the one below. I'm the only maintainer of the websites, so the . (dot) is my home directory. If each website is maintained by its own 'user', the . (dot) represents /home (and there are users commandcentre and tacroom in the example below).

Code:
.
|-- commandcentre [drwxr-xr-x]
|   `-- www [drwxr-xr-x]
|       `-- ils [drwxr-xr-x]
|           |-- inc [drwxr-xr-x]
|           `-- web [drwxr-xr-x]
|               `-- files [drwxrwxr-x]
`-- tacroom [drwxr-xr-x]
    `-- www [drwxr-xr-x]
        `-- scheduler [drwxr-xr-x]
            |-- inc [drwxr-xr-x]
            `-- web [drwxr-xr-x]
                `-- files [drwxrwxr-x]
'apache' will be able to read the full directory tree with the default permissions, so no issues there.
web is the document-root for each website.
inc is the 'include' directory where I store all 'sensitive' php files (e.g. those that contain usernames and passwords for database access); it will never be accessible by browsers, but 'apache' can access it.

The only issue comes when apache needs to write in (one of) those directories. In my case that is when users generate reports that they can download. I have a special subdirectory files for that and I used to change the permissions and ownership but that was not exactly what I wanted.

Since this morning I use an acl entry on each subdirectory files that allows apache to write there. See http://www.linuxquestions.org/questi...-group-730046/

Using vsftpd, it's easy to jail the users to their home directories. Be aware that users need access to both inc and web, so their entry point should be above these in the tree.

PS Please note that the tree might have too many layers for your needs and you can safely remove the ones marked in blue.

Last edited by Wim Sturkenboom; 06-03-2009 at 08:39 AM. Reason: Added permissions to the tree
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 / vsftpd / chmod question? LMZ Linux - Server 6 02-05-2007 10:09 AM
Correct configuration for Apache2 and logrotate ricur Linux - Software 4 11-18-2004 01:22 PM
Vsftpd changes file permissions....how to correct? 88guy Linux - Software 1 05-25-2004 06:17 PM
Setting correct permissions for my ~/ ShadyCharacter Linux - General 2 04-15-2004 12:06 AM
What are the correct permissions for /etc? KingofBLASH Slackware 1 01-31-2004 09:56 PM


All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration