[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Apache and multiple Virtual Hosts best practices



Eric Wagar wrote:

I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.

I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.

What are the other ways you guys have dealth with this?

Thanks
eric


If I have a directory that I want multiple users to write to this is what I do.

Create a group (any name will do)

# groupadd ftp_users

Edit the /etc/group file (there are tools to do this, but vi or emacs are what I prefer)

Change the line (your gid will probably be different)

ftp_users:x:503:

to

ftp_users:x:503:apache,user1,user2,user3,user4

Create a shared directory

# mkdir /var/ftp/pub/shared

Make the directory group owned and writable by ftp_users

# chgrp ftp_users /var/ftp/pub/shared

Set the permissions to allow anyone in that group to write to that directory. Also make the directory setgid. This is important as the sticky bit as it is called will preserve permissions for all files and subdirectories created in that directory.

# chmod g+w,g+s /var/ftp/pub/shared

The directory should look like this.

# ls -ld
drwxrwsr-x    2 root   ftp_users       4096 Dec 16 12:12 /var/ftp/pub/shared

Now anyone who is in group ftp_users, including apache will be able to write into that directory and people will be able to read and write the files they create. The group members do have to trust each other, but no one else outside the group. Also any files that are created will be owned by the UID who created them, so you know who put them there in the first place. There are of course other permission schemes that can require more or less trust between group members, but this is usually what I do for a shared directory amoung various users, or daemon UID.

Terrence


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]