Securing source code of each site running on apache server

Question

I have setup an instance of apache server(on ubuntu 12.04) and hosting two php websites on it. Websites are maintained by different teams and they don't want the code to be visible to the other team.

The code for websites is present in directories /etc/sites/team1 and /etc/sites/team2. Both teams have FTP access to server (using vsftpd). The webserver is running with user www-data' s credentials which belongs to www-data group. This means all the files that are present in the sites directory must have read permission for user www-data or group www-data. When users upload the file through FTP client, the file's owner and group are set to user and group of FTP user.

How an I set the default group of each uploaded through FTP server to www-data?

One way is to set FTP user's default group to www-data, but in that case FTP users of both sites will have group www-data and each file has atleast read permission for this group they will be able to see each other's code.

What would be the correct way to protect source code so that both are accessible to apache server but not the other team?

Answer 1

One quick solution for me is to have separate users groups for each website.

Answer 2

While ravdhaw solution is correct I would also suggest looking at the jail possibilities of vsftpd. You could jail the users on their own web directories and this would be the only directories that they will be able to see. You could check this answer on serverfault:

https://serverfault.com/questions/229664/jail-linux-user-to-directory-for-ftp-login

You should check out suphp which will make your installation a bit more secure, as the processes will be run by the file owner and therefore will not have access to other users files.