Re: Users, groups, rights and apache please advice
> I got the following situation:
> A server (debian stable) running a number of domains
> For each domain I've create a group, and everybody that has
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of
> that domain, and everybody who's not in that group shouldn't even be
> able to read the files (because of plain text database passwords that
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
> virtualhost)
Hi,
Perhaps the following would work? Set /usr/sbin/apache to be run as user
www-data (this user should exist by default in a Debian installation),
then add the www-data user to all of the appropriate domain groups?
For instance, in /etc/init.d/apache, add the flag "--chuid www-data" to
all of the invocations of "start-stop-daemon --start". Or you could use
"dpkg-statoverride --update --add www-data www-data 4755 /usr/sbin/apache"
to accomplish essentially the same thing. Then the relevant lines in
/etc/group should be made to look something like this:
domain1:x:1000:user1,user2,www-data
domain2:x:1001:user3,user4,www-data
[etc.]
This will also require you to change the ownership of apache's log
directory so it can still write there, and maybe other things as well. I
have not tested any of this, so caveat emptor!
Of course, realize that if your offending database files (db.php) are
included within the domain directories, if apache can read them then so
can anyone on the Web who happens to type the right URL to reach them.
--
Kevin McCarty Physics Department
kmccarty@princeton.edu Princeton University
www.princeton.edu/~kmccarty Princeton, NJ 08544
Reply to: