linux web server permissions

[Red Squirrel]

Normally when I setup a server I don't really care about permissions, I do lot of nasty chmod 777 * and stuff to easily get away with permission issues, since I'm the only one with access anyway.

But for a server that may be used for webhosting, how do I go about setting permissions in home directories so that programs like apache/php can still read/write to the user's web data but other users can't read or write to them? I'm guessing I need to add the user apache to each user's group and chmod 770 but I'm not too sure how to go about that, or if that's even how I should do it. Any tips would be appreciated, thanks.

 

[jfall]

google php suexec

 

[Red Squirrel]

Is there a way without installing more stuff? I was thinking simply a crafty permission scheme or something. There's no yum or apt-get on this server and can't get those to install, so installing stuff is pure hell atm.

 

[doan]

I think you can chown -R apache:apache {directory name} for whatever directories apache needs to use. Then disable reading and writing for all other users.

 

[Red Squirrel]

Is there a way to make a file owned by multiple users? Since I still need the user to be able to ftp stuff to their folders. Or should I chown it user:apache maybe?

 

[Nothinman]

Normally when I setup a server I don't really care about permissions, I do lot of nasty chmod 777 * and stuff to easily get away with permission issues, since I'm the only one with access anyway.

And that's probably one of the big reasons that you run into so many obscure problems.

Is there a way without installing more stuff? I was thinking simply a crafty permission scheme or something. There's no yum or apt-get on this server and can't get those to install, so installing stuff is pure hell atm.

Are you even sure it's Linux then?

 

[Red Squirrel]

Yeah it's RH Enterprise server. I don't understand why it did not come with yum. It's a RH/FC standard. Whatever I try to install requires tons of dependencies. I managed to install VMware, that surprisingly went in smooth, but anything else no go.

 

[jfall]

Originally posted by: RedSquirrel
Yeah it's RH Enterprise server. I don't understand why it did not come with yum. It's a RH/FC standard. Whatever I try to install requires tons of dependencies. I managed to install VMware, that surprisingly went in smooth, but anything else no go.

If its enterprise try using up2date

 

[Red Squirrel]

Hmmm cool, so this is just like yum? Could not install yum or apt with it but I could install postfix. I can maybe try to fix apache with it. It's also totally botched, it refuses to read files beyond 2 directory levels. It's more then just a permission issue now. Virtual hosts don't work at all, keeps saying it cant find the path even though it DOES exist. If I put all my files in the default home directory, it wont read them.... what a mess.

 

[Nothinman]

Yeah it's RH Enterprise server. I don't understand why it did not come with yum. It's a RH/FC standard. Whatever I try to install requires tons of dependencies. I managed to install VMware, that surprisingly went in smooth, but anything else no go.

Yum is not standard for RH, just FC. AFAIK up2date will only work with official RH repositories so you'll be a lot more limited in what you can install with it.

It's also totally botched, it refuses to read files beyond 2 directory levels. It's more then just a permission issue now. Virtual hosts don't work at all, keeps saying it cant find the path even though it DOES exist. If I put all my files in the default home directory, it wont read them.... what a mess.

No, it almost certainly is a permissions issue. Make sure apache has permissions on every directory from root down to where you put the files that you can't read, if apache can't get to any of them it'll fail.

 

[Red Squirrel]

Turned out to be selinux. I forgot that was on by default now. Disabled it and everything works. Though the permissions are not properly set at the moment so still need to figure out what is the best way to set them so users can ftp their stuff and apache still access them, and once I configure mail I'll also have to make it so postfix and dovecot can access the home directories, but thats a different issue, but I want to keep that in mind as well. I was looking on my current webhost and noticed some folders are chowned as the user, but as nobody for the group. Is this the best way of doing it?

 

[Nothinman]

No, the 'nobody' user shouldn't own anything IMO because that user shouldn't be used for anything. Generally Apache has it's own user called apache, www-data or something.