What is the best way of enabling non-root access to /var/www/html?
 

Based on this article:

http://www.ducea.com/2006/07/27/allo...ectory-chroot/

...it can be achieved by mounting /var/www/html in non-root user's home directory:

Also, related to this, I just looked at /etc/vsftpd/vsftp.conf file and I have the following line set like this (on / not uncommented):

At the same time I am able to access all files and folders through sftpd. Is the mount --bind a good or the best way to go, or should I consider something else?

Thanks.

Edit:

Another options is this:

"If you need to have write access via a different userid than root then leave the files/directories owned by root and use a different group. Put your ftp user in that group but do not add the apache user, leave that having readonly access via the "other" permission settings."

I mean, I may need to do this anyway to enable access, even if I would go with the mount --bind solution, I am not sure...

Creating a new group and adding your user to that is certainly one way & fairly common; enables any num of users to be added easily.

mount --bind is a bit unusual and restricts you to the one user.
Not sure you can expand that to >1 user and not sure I'd want to try multiple --bind mounts.

Another option is to leave the main dir as is and use the UserDir option https://httpd.apache.org/docs/2.4/ho...blic_html.html which is easily extensible to other users bet prevents them from altering the main dirs.

Ultimately your choice.

or you COULD just create a virtual host with the document root in your home directory, or create a user to place the document root in it's home directory

/var/www needs to be owned by the user "apache"
mounting it in /home/YOUR-USER-NAME/var/www is going to cause problems

and will likely end up with a web site that is very insecure and very easily hacked

as above why not just use a vhost
most major distros HAVE this built in
as in you have a ~/public folder

i used the vhost approach to share personal files ( ~/Public)
if a family member or friend needed something i would put it there and email then the username and password

It looks like creating a group and assigning this new user to this group is the best and most standard / classic way to go. I will stick to this...

Thanks.

Either this or setfacl... To be honest I like giving group permissions with setfacl to a second group (not apache) and set users to that specific group... I also use this because of the "default" permission capability (so that if something gets created with root or by the webserver, the users in that group get implicit permission to that file)

UserDir directive option does not sound bad too. I know that:

1) I want to have the website files in folders like this - /var/www/html/domain-name.com (one separate folder per domain)
2) I would want to enable user_one to have access to all of these, and anything that may be created by programs on CentOS7, if this may be the case
3) I would like to limit access through ftp, for the user_one to /home/user_one (he can add directories there, and do whatever he wants there or underneath it) and give him full access to anything that may be in /var/www/html
4) I may need to create another user, lets say, and give him full access to /var/www/html/website-100.com through ftp, and nothing else (without home directory for this user, lets say). This may be needed for something like migrating website from one script to another and people would log in to the server and get all the files and pictures from there). They could have access to one of the mariadb databases on the server too (for this site, if needed).

So something along these lines. And what would be the best, most common, standard way of doing this? The mount option does not seem to be good for it, but when I read the article it sounds good. Person from Silicon Valley, advising this on his consulting website, and so on. Like I said, I dont have good perspective on this yet, so it is better to ask on the forum, if there is a way to get some answers to this.

Is this what I want to do / is this correct?:

... and thats it?

And then I would just limit ftp access with vsftp config file (allow only /home/user_one and /var/www/html, and possibly add a link to /var/www/html so the user could get there, when he logs in?). If the link solution sounds like a correct one, would I do a hard or soft link?

Like I said, I am looking for the most standard / clean / 2015 / book solution to this. This does not sound like it is 100 there...

The command above will give those implicit permission to any new file added there... But I would use
This will set a default of executable only to new directories, not to new files and will also set default for every directory that already exists


You would also need to do:
to actually give effective permission to the directory and to any files that are already in it to the user..

But that's pretty much it..

P.S. There is no "standard" solution here... You choose what fits best or with which you are the most comfortable