LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-01-2015, 07:22 AM   #1
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Rep: Reputation: Disabled
What is the best way of enabling non-root access to /var/www/html?


Based on this article:

http://www.ducea.com/2006/07/27/allo...ectory-chroot/

...it can be achieved by mounting /var/www/html in non-root user's home directory:

Code:
 
mkdir /home/user_one/htdocs
mount --bind /var/www/html /home/user_one/htdocs
Also, related to this, I just looked at /etc/vsftpd/vsftp.conf file and I have the following line set like this (on / not uncommented):

Code:
chroot_local_user=YES
At the same time I am able to access all files and folders through sftpd. Is the mount --bind a good or the best way to go, or should I consider something else?

Thanks.

Edit:

Another options is this:

"If you need to have write access via a different userid than root then leave the files/directories owned by root and use a different group. Put your ftp user in that group but do not add the apache user, leave that having readonly access via the "other" permission settings."

I mean, I may need to do this anyway to enable access, even if I would go with the mount --bind solution, I am not sure...

Last edited by AdultFoundry; 11-01-2015 at 07:50 AM.
 
Old 11-01-2015, 08:16 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Creating a new group and adding your user to that is certainly one way & fairly common; enables any num of users to be added easily.

mount --bind is a bit unusual and restricts you to the one user.
Not sure you can expand that to >1 user and not sure I'd want to try multiple --bind mounts.

Another option is to leave the main dir as is and use the UserDir option https://httpd.apache.org/docs/2.4/ho...blic_html.html which is easily extensible to other users bet prevents them from altering the main dirs.

Ultimately your choice.
 
Old 11-01-2015, 08:40 PM   #3
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
or you COULD just create a virtual host with the document root in your home directory, or create a user to place the document root in it's home directory
 
Old 11-01-2015, 11:13 PM   #4
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,822

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
/var/www needs to be owned by the user "apache"
mounting it in /home/YOUR-USER-NAME/var/www is going to cause problems

and will likely end up with a web site that is very insecure and very easily hacked

as above why not just use a vhost
most major distros HAVE this built in
as in you have a ~/public folder

i used the vhost approach to share personal files ( ~/Public)
if a family member or friend needed something i would put it there and email then the username and password
 
Old 11-02-2015, 04:30 AM   #5
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Original Poster
Rep: Reputation: Disabled
It looks like creating a group and assigning this new user to this group is the best and most standard / classic way to go. I will stick to this...

Thanks.
 
Old 11-02-2015, 06:28 AM   #6
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by AdultFoundry View Post
It looks like creating a group and assigning this new user to this group is the best and most standard / classic way to go. I will stick to this...

Thanks.
Either this or setfacl... To be honest I like giving group permissions with setfacl to a second group (not apache) and set users to that specific group... I also use this because of the "default" permission capability (so that if something gets created with root or by the webserver, the users in that group get implicit permission to that file)
 
Old 11-02-2015, 07:15 AM   #7
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Original Poster
Rep: Reputation: Disabled
UserDir directive option does not sound bad too. I know that:

1) I want to have the website files in folders like this - /var/www/html/domain-name.com (one separate folder per domain)
2) I would want to enable user_one to have access to all of these, and anything that may be created by programs on CentOS7, if this may be the case
3) I would like to limit access through ftp, for the user_one to /home/user_one (he can add directories there, and do whatever he wants there or underneath it) and give him full access to anything that may be in /var/www/html
4) I may need to create another user, lets say, and give him full access to /var/www/html/website-100.com through ftp, and nothing else (without home directory for this user, lets say). This may be needed for something like migrating website from one script to another and people would log in to the server and get all the files and pictures from there). They could have access to one of the mariadb databases on the server too (for this site, if needed).

So something along these lines. And what would be the best, most common, standard way of doing this? The mount option does not seem to be good for it, but when I read the article it sounds good. Person from Silicon Valley, advising this on his consulting website, and so on. Like I said, I dont have good perspective on this yet, so it is better to ask on the forum, if there is a way to get some answers to this.

Last edited by AdultFoundry; 11-02-2015 at 07:20 AM.
 
Old 11-02-2015, 03:30 PM   #8
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Original Poster
Rep: Reputation: Disabled
Is this what I want to do / is this correct?:

Code:
[run as root] setfacl -m d:u:user_one:rwx /var/www/html
... and thats it?

And then I would just limit ftp access with vsftp config file (allow only /home/user_one and /var/www/html, and possibly add a link to /var/www/html so the user could get there, when he logs in?). If the link solution sounds like a correct one, would I do a hard or soft link?

Like I said, I am looking for the most standard / clean / 2015 / book solution to this. This does not sound like it is 100 there...

Last edited by AdultFoundry; 11-02-2015 at 03:37 PM.
 
Old 11-02-2015, 05:14 PM   #9
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
The command above will give those implicit permission to any new file added there... But I would use
Code:
setfacl -m d:u:user_one:rwX -R /var/www/html
This will set a default of executable only to new directories, not to new files and will also set default for every directory that already exists


You would also need to do:
Code:
setfacl -m u:userone:rwx -R /var/www/html
to actually give effective permission to the directory and to any files that are already in it to the user..

But that's pretty much it..

P.S. There is no "standard" solution here... You choose what fits best or with which you are the most comfortable

Last edited by Smokey_justme; 11-02-2015 at 05:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp access to /var/www/html bmccarty12 Linux - General 2 10-16-2009 01:21 PM
Configure /var/www/html for user write access? SlowCoder Linux - Server 9 07-26-2009 06:37 PM
FTP access to /var/www/html/web_folder jonaskellens Linux - Server 2 07-11-2009 09:23 AM
How do I give access to an ftp user to the var/www/html dir shootinstr8 Linux - Newbie 1 10-13-2006 04:32 AM
should var/www/html be accessible to root only? linuxfond Linux - Newbie 1 09-06-2003 03:00 PM


All times are GMT -5. The time now is 08:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration