How to set up secure permissions: Multiple Users & Websites / Apache / www-data

Question

I had my own private VPS that my hosting service managed and now I am switching to a cloud server where I have to manage everything myself. I am trying to mimic their secure setup that they had. On my old & new server, I have my users/websites set up like those listed below. My Apache Virtual Hosts have these as the DocumentRoot, so they are running right now:

/home/user1/site1.com
/home/user1/site2.com

/home/user2/site3.com

/home/user3/site4.com
.....

Basically on my old VPS, the Apache web server could run all of these sites, and at the same time, each user did not have access to the other user's files (in case one site got hacked, the hacker couldn't access the rest of the sites). I noticed that directories had 755 and files 644 permissions.

The way I set up now, everything in these user directories are in the www-data group, the directories have 775 and files 664 permissions. Files from one user's website are accessible from another user's website (not good).

How do I set up the permissions to mimic my old VPS described above?

EDIT: After further studying, I should note that I set my server up to run http/2. I found that Apache MPM-ITK is actually required for separating vhosts based on user/group. However, Apache MPM-ITK is not compatible with http/2. I'm not sure what else to do except abandon http/2 in order to get the mpm-itk mod?

Answer 1

This may be a stretch, but you may be able to accomplish this with some simple Linux permissions.

If the users' directories are owned by the user/usergroup (ie, user23:user23), you may be able to get by with adding the apache user to the user's group.

usermod -a -G user23 apache

The usermod command will append (-a) the following group (-G) to the user (in the above case, Apache).

Haven't tried it out. Normally I would add this as a comment instead of an answer, but I have to have 50 rep to comment -_-