.

Setting up a Virtual Host so that a particular user has access to it

2012-04-23 23:51:27

This is how I did it. Keeping it here so I don't have to go looking through mailing list archives.

  1. Create a new group www-examplecom and add the users example-editor and www-data to it. The former is the regular user I want to have access to the files for that Virtual Host and the latter is the Apache user which may need to upload files using PHP.

  2. Change ownership of /var/www/example.com to root:www-examplecom

  3. Change permissions of /var/www/example.com directory (and subdirectories) to 0775 to give owner and group read/write/execute and then to 2775 to set SetGID to ensure files created under /var/www/example.com are created under www-examplecom

  4. Change permissions of files under /var/www/example.com to 0664 to read/write for users.

  5. Change umask for user example-editor to 0002 so that files are created by him in a way that allows them to be edited by the group as well.

  6. Set umask in the PHP program to 0002 so that files are created by user www-data in a way that allows them to be edited by the group as well.

After doing all of this, you might be interested in using suPHP or apache2-mpm-itk or something else to ensure that one user's PHP files aren't used to attack every other user's stuff. To do so, just edit the corresponding VirtualHost setting and add:

<IfModule mpm_itk_module>
    AssignUserId user group
</IfModule>