3

I have a server running apache as webserver. I need two user accounts to upload web content via scp. As example a wordpress installation.

When I configure those users, and upload the files they are owned by the user who uploaded them. In that case apache user is not allowed to modify them. The same way when the wordpress installation is used to upload media files. The upload user don't have access to them.

So I have files uploaded by one of 2 upload users, files uploaded via the web application (having apache's owner and permissions). And all 3 should be able to fully handle the files (add, delete, modify, ...).

Any ideas how this can be done?

Gerhard
  • 86
  • 5

1 Answers1

3

You can use the mpm-itk multiprocessing module for apache ( http://mpm-itk.sesse.net/ ). It allows for the virtualhosts to run any user.

Similar functionality can be reached with php-fcgi combined with suexec ( http://www.fastcgi.com/drupal/node/5?q=node/10 ).

I voted for the first, but the second is more popular.

Maybe you should configure your scp/sftp service to use a chrooted environment into the home of the users, it isn't really simple as well. If you have problem with them, I am waiting your next question here.

And you could use the acls ( man setfacl ), if you have some extra wish, although they aren't really needed. I never found any problem which weren't solvable with these tools.

peterh
  • 4,953
  • 13
  • 30
  • 44
  • 1, 2) But I have 2 users that upload to the webcontent. Which user would I then run the apache under? When I would run the apache for the virtualhost as user1 user2 could not access it any more. Does not completely solve my issue. But still is an interesting thing. 3) the chroot environment would not solve the permission problem. In fact it would increase it. as i would shield the users more from each other. But Thanks. – Gerhard Feb 18 '14 at 14:49
  • 2
    @Gerhard You could put them in a group, and the webserver could run in also in this group, but as a third user. In this case, you need to set a setgid (chmod g+s) on the directories of the webroot directory. Don't worry, the directory setgid hasn't anything to do with the setuid on executables. In case of some extra wish you could use acls to finetune the settings, although it isn't always really needed for them. – peterh Feb 18 '14 at 14:52
  • setgid ... sounds like a great hint. Will check that! Thanks. – Gerhard Feb 18 '14 at 14:58
  • This is NOT a nice solution. Lots of people recommend not using such systems because It is the same after all to give webserver user the permission to folders... So the same as creating an SSH wrapper allowing the webserver user to connect through SSH. – DrGkill Feb 18 '14 at 15:03
  • @DrGkill Of course the webserver should have _only_ read permission to the files. This can be reached with acls or with some simpler permission finetuning, too. And - again of course - the files of the different users/vhosts should be separated from eachother, this can be done with chrooted scp folders and running every vhost with different uids. – peterh Feb 18 '14 at 15:06
  • @Peter Horvath if vhost is running with an uid which is able to read/write in a chroot folder, how different it is than a classic web server having ability to read/write in a chroot dir ?? – DrGkill Feb 18 '14 at 15:08
  • @PeterHorvath Not entirely true. the webserver needs write permission to sertain parts of the web content to upload media files. read-only would therefore not be enough. – Gerhard Feb 18 '14 at 15:15
  • @Gerhard You have right, but hopefully a man chmod, man setfacl could solve this problem. – peterh Feb 18 '14 at 15:17
  • @DrGkill 1: the different users are separated from eachother (i.e. a user can't destroy or steal the files of another) 2: of course apache should have by default only read permission, with the exception of the well-defined folders, which doesn't have php execution permission. This can be reached with the chmod, chown, chgrp, setfacl commands. – peterh Feb 18 '14 at 15:19
  • I am still interested in the SELinux approach ... just to know my options. :) Any hint for the direction to look into? --- Where did the answer with the SELinux go??? – Gerhard Feb 18 '14 at 15:40
  • @Gerhard : there ;) – DrGkill Feb 18 '14 at 15:59