Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development
  Previous topic | Next topic 
Author Message
AtomicDog
PostPosted: Tue Nov 17, 2009 4:38 am 
Offline
Junior Member

Joined: Wed Nov 04, 2009 5:22 am
Posts: 27
I have a custom written web application running on the traditional LAMP stack (P being PHP in this example).

Option 1) I could just chown all the PHP files over to the apache user/group, place the files in htdocs, and run the app like that.

Option 2) I was thinking of creating a separate user with no login shell, though, that would own all the PHP files. Then I would add group ownership of the files to apache and store the PHP files in the users home directory. PHP would still be running as the apache user.

This would allow me to su over to that account to edit the files as the application user, and connect to the MySQL DB without specifying the user/password on the command line as well.

I was thinking this might keep it more organized if I were to add more applications in the future.

Is there a best practice for this? Are there any disadvantages to using the separate user technique (second option)?
Top
   
Reply with quote  
Vance
 Post subject:
PostPosted: Thu Nov 19, 2009 4:40 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 2:41 pm
Posts: 830
There are certainly any number of ways to organize things, but I don't know if there is truly a best practice (my own practices have tended toward expedience rather than maintainability).

One problem with the separate user approach is that when you add new files as that user, the group ownership and permissions are likely to make them inaccessible to Apache. You can overcome the ownership problem with the setgid bit and the permissions problem by changing the umask for the user.
Top
   
Reply with quote  
AtomicDog
 Post subject:
PostPosted: Sat Apr 03, 2010 1:45 am 
Offline
Junior Member

Joined: Wed Nov 04, 2009 5:22 am
Posts: 27
I did actually decide to do this by creating a new user.

I created a new user and changed the password hash to start with a ! to disable login. This way I can still su to the account (which I could not if I used sbin/nologin) as root, although I can not su over as a normal user because the password will never be accepted.

I set the umask to the appropriate setting in the new account's profile. Then I changed the primary group on that account to be apache.

Finally, I changed the webserver folder so that it is owned by the application account, and apache only has group read but not write access. I was reading on the Drupal website that this is the appropriate way to setup the www tree anyway.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development


Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group