hi, im a newb to hosting but not to linux/apache. but i have a very newbie permissions question regarding apache virtual hosts controlled by various user accounts -- namely, what set of user perms do i set up so that APACHE can read and execute users' websites, but that OTHER USERS cant see other people's stuff.
im suffering serious brainfart on this.
For example: my apache process runs as 'nobody'. so if i have a user frank, and frank wants to run a website, and frank doesnt want any other users to have access to his stuff, whats the best way of setting that up?
i suppose i could stick his htmlroot in his homedir, and give him his very own apache instance that runs as 'frank/frank', but that creates a big mess for me, the system admin. not very scale-able. and id probably have to have it listen on a nonstandard port (cuz ive already got an apache listening on port 80) and make a reverse proxy to fwd to the nonstandard port and i am WAY too lazy for that. :-)
my only other idea is to set read and execute perms for group 'nobody' on frank's homedir, and stick frank's htmlroot in there. im assuming that would give apache the perms that it needs to serve the site, while at the sametime saving preserving poor little frank's privacy, so long as noone gets group 'nobody'...
anyways, im wonder how do 'real' linux webhosts do it?
i dont have webmin, usermin, plesk, cpanel, whatever. its all command line, baby.
You can create a group called "webusers" and put the user "nobody" in the "webusers" group.
Then have all of your web user's root directories (/usr/local/apache/users/joe) setup with the following permissions (chmod 750):
drwxr-x--- joe webusers /usr/local/apache/users/joe
drwxr-x--- jim webusers /usr/local/apache/users/jim
drwxr-x--- tim webusers /usr/local/apache/users/tim
drwxr-x--- jen webusers /usr/local/apache/users/jen
Make sure you chown root:wheel /usr/local/apache/users and chmod 755 (or 555) /usr/local/apache/users
Now for the users this allows only apache to go inside their directories. Once inside their root directory though it doesn't matter who the files are owned by for apache to read them just as long as they are world readable. (chmod 755, 705, 704, etc)