Permissions configuration for web server

pn8830 · August 31, 2012, 9:25am

Greetings!

I have a Solaris workstation that I use for web hosting. It runs SAMP and everything was working good for me until I got a need to add a couple of co-workers to help me with development. I'm trying to find some guidance for how to set up filesystem permissions so everybody would be able to upload their PHP scripts to the workstation without permission issues. By no means I'm a system administrator, just using my limited skillset to get things done

So here is my current setup, I don't really know if it's correct, but I'm in secure environment and it gets things done:

All web pages are in /www directory (documentRoot).
Apache runs under webservd user, no shell configured for that user.
/www belongs to my UNIX login, so I can upload scripts to /www.
subdirectories in /www that are used for uploads through web page (when user sends file to the server) belong to webservd. And that's cool since they have no PHP scripts in them.

Now the project is growing and I need to add a couple of guys who should be able to upload their PHP scripts to /www.

Here is the couple of ways I figured so far:

1) I give them my password - (not cool, like I did not try to figure right thing out)
2) I create a new UNIX user (upload) and change /www owner to that - (again, the password has to be shared, so it's just a little better)
3) Find a right way to do it (that's pretty much why I'm writing this post :))

Any ideas/help to point me in a right direction are greatly appreciated!

Thank You,
PN.

Corona688 · August 31, 2012, 2:05pm

That's the sort of thing groups are for. Users belonging to the group the folder belongs to will be able to create, edit, and delete files inside it as long as you chmod g+rwx foldername . Files they create will belong to themselves.

Either add them to the group the folder belongs to, or create a new group for them, add them to it, and chown the folder to it. New group might be preferable if you want to avoid the webserver being able to write to the folder!

Do not brute-force it with chmod 777, that's a security nightmare.

Other things you might consider doing to the shared folder are making it group-sticky(so that new files will belong to the group), and sticky, like /tmp/ is, so users can only delete files which belong to them. You can control the permissions their files are created with via their umask.

solaris_user · September 2, 2012, 1:34am

First of all, if I were you all Apache docs will be in /var/apache/public_html , of course you need set up Apache and PHP to read content from location I mentioned.

As a second thing, as Corona688 said, UNIX user can have one primary group and up to 15 secondary groups where he or she can belong, so give those guys permissions to read and write in apache directory, usually I gave as a second group apache so if he or she will put something on web server he can do it without my root password.

pn8830 · September 3, 2012, 8:37am

Thank you very much, guys!