[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root-like filesystem permissions.



hello,

On Fri, Aug 01, 2003 at 10:00:27AM +0900, Nathan Ollerenshaw wrote:
 
> The apache daemon runs as a "www" user and group, and everyone domain 
> has a unique userid and groupid assigned to it. The apache daemon runs 
> in a chroot. (Therefore, the /etc/passwd and /etc/group entries for 
> user sites only exist in the chroot - so that CGIs will work correctly).
> 
> This works fine, however it has some flaws.
> 
> Currently, permissions on the customer directories need to be lax 
> enough for the apache daemon to read the files. This means at least 771 
> for the docroot (which disables multi).
> 
> What I would LIKE is to have all permissions on customer files and 
> directories to be 700 or 600 respectively (except for executable CGIs 
> of course).

I have a similar setup on my servers and I use POSIX ACLs
(http://acl.bestbits.at/) to get finer filesystem permissions.

the permissions for customer files are 700/600. then I manupulate
the acl to grant www-data read access for the files. 

root@web3:/sites/domainuid# getfacl -m u:www-data:r-x htdocs

root@web3:/sites/domainuid# getfacl htdocs/
# file: htdocs
# owner: domainuid
# group: domaingid
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---

you can also have default acls, so all new files below this directory
will inherit this permissions.

but the best thing for this case would be to migrate to
apache2-mpm-perchild, if it ever becomes stable :-)

regards

buz

-- 
This is a free country. You have a right to send me email, and I have a right
not to read them!

GnuPG Fingerprint: 2FFF FC48 C7DF 1EA0 00A0  FD53 8C35 FD2E 6908 7B82

Attachment: pgpd89zZIrXRc.pgp
Description: PGP signature


Reply to: