Hello,
Any one know of the definitive best practice for owner/group permissions for apache web folders?

I have done part of the way, but not quite yet.
I have set the public_html folder & all files in it to be user: www-data and group www-data
Which is fine, and this allows the uploads folder in wordpress to work with a permission of 775 (thus avoiding the need for 777)

I did not want to upload my files as the root user. So I have create a user (named cds) just for upload.
I then set cds to be a member of the group www-data

This allows me to upload files to the public_html folder as the cds user.

But the problem is I cannot edit any of the files in the web folder which is owned by www-data.
But if the set the owner of all web files as cds, then apache (and therefore wordpress upload) cannot write files to the server.

So I think my questions are
1) How do I allow the cds user to edit files owned by www-data
2) How do I set the web folder content so that whenever the cds user uploads the files to it, it automatically sets both the owner and group to www-data?

I'm not sure there's a definitive 'best practice'. I think it's something of a balancing act between security and functionality/convenience

On a server with multiple websites maintained by different users here's what I do:

1. Create a user and group, with a home directory. e.g., there'd be user 'cds', group 'cds', and home directory /home/cds, below which there'd be /home/cds/public_html for the website.

2. /home/cds and eveything below it is owned by user 'cds' group 'cds', include the website content. So user cds can login by SSH, SCP, FTP, etc. and have the site content readily accessible and have permissions to modify/delete anything.

2. Add the Apache user (in your case, www-data) to the group 'cds'. This can be done with the 'usermod' command, something like:

usermod -a -G cds www-data

3. Permissions for read/write access can then be adjusted (by user 'cds') as required:

- A directory set 750 is readable by Apache. This is the basic permission level required for the website to function.

- A directory set 770 is readable and writable by Apache. Your Wordpress upload directory (for example) would need this.

- Similarly, file access could be set 640 for read access and 660 for read/write access.

I don't claim this is the best approach, it's just how I do it

_________________
sleddog

Hmm, according to the linode documentation they suggest making the home directory for the site
/srv/www/yourdomain.com/public_html

apache defaults to /var/www

I won't be the only admin that will be updating the website, so it made sense to me not to have the site be at home/specificuser/public_html

I myself however am new to controlling my own webserver so what are your thoughts on that or rather how would you set the permissions/user/groups then.

I have myself and a second user added, I have us both added to the www-data group, admin, adm, and an inetuser groups.

What are your thoughts on that?

The default Apache setup has been the same since time immemorial, when one website was hosted on a server. Virtual hosting changed that -- allowing multiple sites to be hosted on one server. There isn't one "right" way of doing virtual hosting. Placing sites in /srv/www/yourdomain.com/public_html is one way. Putting them in home/specificuser/public_html is another. Neither is definitively right or wrong.




Why? You can simply supply each admin with the username/password for access. Would it matter that each real admin works as (for example) user 'cds'?



I'd suggest doing exactly what your doing -- experimenting to find the best solution to fit your needs.

I'd be cautious about having files and directories owned by the Apache user -- those files/directories might be writable by the Apache user when there is no need for them to be. And that might be a security concern.

_________________
sleddog

Thanks for your advice there @sleddog

If I do choose to put the files in /var/www/yourdomain.com/public_html then what impacts does that have on user and group ownership?

I feel like there should be some theory here, in addition to the 'experimentation with the individuals virtual hosts and websites.

I understand that for my wordpress sites, the user is www-data

In order to give myself FTP access, I had to go and assign user:group on all the web host files to me: ricky:ricky

And I added the www-data user to the ricky group.

But frequently run into wordpress install problems.

Setting www-data as the user and group doesnt help either.

I want to be able to cruise around in terminal looking at the files, but if I give user:group ownership to www:data, then I loose that.

Is it OK in today's world to have '7' on the group level, for read/write/access to all files inside Public_html

I feel there's a more secure way to do this!