Permissions and Groups on a New Server – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.
But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, apache-2.2, permissions, , .
I set up a new instance of Ubuntu 12.04. This has, of course, the root user. I have apache running and it has it’s own user and group and I created a single ftp user as well (that has it’s own user and group). I also created a new group that I thought I had set up to contain the apache and the ftp user to upload/create/manage files.
So now, in my web root and with regard to users and groups, I have something that looks like this:
-rw-r--r-- 1 root www-pub 22 Jul 30 06:21 index.html drwxr-sr-x 5 www-data www-data 4096 Jul 30 06:26 test drwxr-sr-x 8 ftpacct www-data 4096 Jul 30 06:03 stuff
index.html was created by root (via ssh), test dir was created by apache and stuff dir was created by the ftp user.
(Additionally, www-data and ftpacct both belong to the group www-pub.)
My problem: if a file or dir is owned by apache (www-data) it is not modifiable by the ftp user (ftpacct) and vice versa. I can give the element 775 permissions and THEN it is editable as all users are in the same group but this seems insecure (maybe it isn’t? I’m of the impression that anything more than 755 isn’t a good idea).
So what is the solution? How can I make it so that files uploaded by ftpacct can be modified by user www-data and so that files created by that user can be modified by ftpacct? Or should I even be thinking like this?
Can I do this or is this permissions setup just not the best way to do things?
775 is okay, it just means that it is group writable/cd-able and world readable/cd-able.
It looks like you already did a chown user.sharedgroup and chmod g+s where the writes take place to ensure that the files created there are owned by the common group.
Permissions like this are acceptable when they’re well-thought out, understood and documented. I don’t see any problem with your setup.