Originally Posted by X-Rayden
...we give him a .zip, he unzip it to the specified directory, then he can use it...
I've no idea who 'he' is so I'm going to assume that the following happens - you upload a .zip file through a web interface of your CMS which then gets installed by the CMS as a module. If my assumption is correct then here is what's happening:
When you upload anything through web interface any files written to the filesystem are written by a web server hence these files belong to 'apache'.
If you followed instructions above any such files will also belong to a group 'web' because we have set a 'sticky' bit on all directories, forcing all newly created files to inherit the group ownership from the parent directory.
Therefore such files/directories will belong to apache:web. Because the dafault UMASK is 0022, files will have 644 permissions, meaning that users in group 'web' will be able to read them (4) but not write to them.
The same thing happens to files created directly by user 'webadmin', only now files/directories belong to webadmin:web. So for these files Apache (as a member of 'web') will be able to read them but won't be able to, say, create new files in those directories because of your UMASK.
I hope the above make sense.
So if you want, as the 'webadmin' user, to be able to write to files created by Apache you need the following: (a) directories where Apache creates these files must belong to group 'web' and must have 'sticky' bit set (we did this above), (b) both 'webadmin' and 'apache' must be members of group 'web' (we did this too), (c) files that get created must be created writable by the group (6).
To accomplish (c) we must change UMASK with which Apache creates files and directories from 0022 to 0002 (or 0007 as I would do since I don't have any need to give any permissions to 'others').
To change Apache's UMASK on CentOS:
echo "umask 002" >> /etc/sysconfig/httpd
(or "umask 007")
service httpd restart
Don't forget that all those files that have already been created won't be changed so you'll need to change group write permissions for them yourself with 'chmod g+w'
Hope this helps.