[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root-like filesystem permissions.


On Fri, Aug 01, 2003 at 10:00:27AM +0900, Nathan Ollerenshaw wrote:
> The apache daemon runs as a "www" user and group, and everyone domain 
> has a unique userid and groupid assigned to it. The apache daemon runs 
> in a chroot. (Therefore, the /etc/passwd and /etc/group entries for 
> user sites only exist in the chroot - so that CGIs will work correctly).
> This works fine, however it has some flaws.
> Currently, permissions on the customer directories need to be lax 
> enough for the apache daemon to read the files. This means at least 771 
> for the docroot (which disables multi).
> What I would LIKE is to have all permissions on customer files and 
> directories to be 700 or 600 respectively (except for executable CGIs 
> of course).

I have a similar setup on my servers and I use POSIX ACLs
(http://acl.bestbits.at/) to get finer filesystem permissions.

the permissions for customer files are 700/600. then I manupulate
the acl to grant www-data read access for the files. 

root@web3:/sites/domainuid# getfacl -m u:www-data:r-x htdocs

root@web3:/sites/domainuid# getfacl htdocs/
# file: htdocs
# owner: domainuid
# group: domaingid

you can also have default acls, so all new files below this directory
will inherit this permissions.

but the best thing for this case would be to migrate to
apache2-mpm-perchild, if it ever becomes stable :-)



This is a free country. You have a right to send me email, and I have a right
not to read them!

GnuPG Fingerprint: 2FFF FC48 C7DF 1EA0 00A0  FD53 8C35 FD2E 6908 7B82

Attachment: pgpH4Ct4kKbe0.pgp
Description: PGP signature

Reply to: