1

Possible Duplicate:
What are the best linux permissions to use for my website?

I'm searching for an easy way to organize web server directories on Linux.

Users can use FTP to upload their web pages onto the server. But if they do this, the files are owned by the user themself and the web server can't write to them.
I'm searching for a solution that

  1. allows users to upload stuff to the server
  2. allows the web server to create/delete/manipulate files
  3. allows the users to remove the web server's ability to manipulate certain files/directories for additional application security.

How would I do this?

Community
  • 1
OH NO WHAT IS THIS
  • 11
  • 1

1 Answers1

0

The simplest solution would be to add your web server user (www-data for example) to each user's group and set read/write permissions for the group.

Alternatively, you can use Access Control List (ACL) to set up very fine-grained permissions on files and directories, including a revoke-able (by the owner of the file) special access for your web server user. Details will depend on your distribution, consult documentation. Here's how you could do it on Ubuntu for example.

Damn Terminal
  • 537
  • 3
  • 7
  • Wouldn't your first solution allow users to modify the files of another user by running scripts as the web server? Also, I'm afraid I can't use ACLs on my VPS, is there any other solution? – OH NO WHAT IS THIS Dec 08 '12 at 01:47
  • > Wouldn't your first solution allow users to modify the files of another user by running scripts as the web server? Yes, don't let them run scripts as the web server user. Also, users may use the webserver to read private files of other users – Damn Terminal Dec 08 '12 at 02:01
  • But that's the point of the web server. Users have access to the server so they can upload and publish their web pages. Thinking about it, it's probably impossible to prevent users from changing other users' files without running multiple instances of PHP/whatever (as a different web server user), isn't it? – OH NO WHAT IS THIS Dec 08 '12 at 02:09
  • It's probably a good idea to run multiple instances of PHP/whatever, so that each runs under the user using it. However, you can give the web server rights to read and execute scripts, without giving it write permissions to them (751 where the user is the owner, and www-data belongs to the group). You can also prevent files readable by www-data to be viewable but other users. Don't run scripts as www-data and disable symlinking to other people's files, with [disable_symlinks if_not_owner](http://nginx.org/en/docs/http/ngx_http_core_module.html#disable_symlinks) in nginx for example. – Damn Terminal Dec 08 '12 at 02:15