On Linux, the Apache web server process is normally started as the root user. This is to allow the process to bind to port 80 and 443. However, once the server has started up it switches the the user specified in httpd.conf. In CentOS, this is set to:
user = apache group = apache
This all works well if the server is only hosting one website, or even multiple websites but for the same user or client. However, in a shared hosting environment where multiple customers need to have read and write access to their web directories in order to upload the websites, we need to find a configuration that will allow the httpd process read/write access to all virtual host directories as well as allow each individual client/user read/write access to their own web directory. We can be daring and just give full write to everyone with a chmod 777 command, but that would be foolish. The smarter way is actually very simple and is achieved using Unix groups. Basically, for each customer that will be uploading files to his virtualhost web directory, we create a Linux user. When the user account is created, a group will also be created with the same name as the user. With the user account in place, we give full read, write and execute rights to both the user and the group and no rights to everyone else (chmod 770). We then add the apache user to the new user's group which grants full rights to the web directory to httpd.
NOTE: It's not always necessary to give write access to httpd, but if you need to be able to upload files from the hosted website, httpd will need to have write access to the directory where the uploaded files will be stored.
Consider the following scenario:
A web server has been set up to host websites for two customers. The customers will be uploading their own files that make up their websites to the server. The server has been configured with two virtualhosts, one for each customer. The customer's websites will be served up by Apache from the following locations:
/var/www/vhosts/customera/htdocs/ /var/www/vhosts/customerb/htdocs/
NOTE: The Apache Web Server configuration is outside the scope of this post. We assume that httpd.conf has been configured correctly and that two virtualhosts have been created and configured to serve files from the above two /htdocs directories.
Customer A needs to be able to upload his files to /var/www/vhosts/customera/htdocs, so he will need read/write access to that directory. The same goes for Customer B, who will need read/write access to /var/www/vhosts/customerb/htdocs. First, we create a Linux user for each customer. This will also create a Linux group for the user, and the group will have the sane name as the username. Let's set up the user accounts:
useradd customera useradd customerb
With the user accounts created, we need to give read, write and execute rights to users and groups to their relevant web directories. We first change the ownership of the web directories to their respective usernames and groups:
chown -R customera.customera /var/www/vhosts/customera chown -R customerb.customerb /var/www/vhosts/customerb
We then grant full read, write, execute rights to the users and groups and no rights to everyone else:
chmod 770 /var/www/vhosts/customera/htdocs chmod 770 /var/www/vhosts/customerb/htdocs
In order to grant access to the web directories, we add the apache user to the customer groups:
usermod -a -G customera,customerb apache
And confirm that the apache user has been added to the customer groups
[root@webserver vhosts]# id apache uid=48(apache) gid=48(apache) groups=48(apache),500(customera),501(customerb)
Content Management System Permissions
For CMS such as Joomla, ensure that the correct permissions are in place by running the following commands inside each /htdocs/ directory:
cd /var/www/vhosts/customera/htdocs find . -type d -exec chmod 775 {} \; find . -type f -exec chmod 664 {} \; cd /var/www/vhosts/customerb/htdocs find . -type d -exec chmod 775 {} \; find . -type f -exec chmod 664 {} \;
Comments (4)