08 Dec 2013

Apache Webserver File Permissions on VirtualHosts Featured

I remember struggling to get my head around Apache Webserver file permissions. It's a common issue, and I've seen forum posts this weekend with users struggling to get it right. That s what's prompted this post.

To allow the Apache web server process (httpd) to access and serve files from virtual host directories, httpd requires at least read access. However, with content management systems, httpd might also require write access to virtual host directories.

 

On Linux, the Apache web server process is normally started as the root user. This is to allow the process to bind to port 80 and 443. However, once the server has started up it switches the the user specified in httpd.conf. In CentOS, this is set to:

user = apache
group = apache

This all works well if the server is only hosting one website, or even multiple websites but for the same user or client. However, in a shared hosting environment where multiple customers need to have read and write access to their web directories in order to upload the websites, we need to find a configuration that will allow the httpd process read/write access to all virtual host directories as well as allow each individual client/user read/write access to their own web directory. We can be daring and just give full write to everyone with a chmod 777 command, but that would be foolish. The smarter way is actually very simple and is achieved using Unix groups. Basically, for each customer that will be uploading files to his virtualhost web directory, we create a Linux user. When the user account is created, a group will also be created with the same name as the user. With the user account in place, we give full read, write and execute rights to both the user and the group and no rights to everyone else (chmod 770). We then add the apache user to the new user's group which grants full rights to the web directory to httpd.

NOTE: It's not always necessary to give write access to httpd, but if you need to be able to upload files from the hosted website, httpd will need to have write access to the directory where the uploaded files will be stored.

Consider the following scenario:

A web server has been set up to host websites for two customers. The customers will be uploading their own files that make up their websites to the server. The server has been configured with two virtualhosts, one for each customer. The customer's websites will be served up by Apache from the following locations:

/var/www/vhosts/customera/htdocs/
/var/www/vhosts/customerb/htdocs/

NOTE: The Apache Web Server configuration is outside the scope of this post. We assume that httpd.conf has been configured correctly and that two virtualhosts have been created and configured to serve files from the above two /htdocs directories.

Customer A needs to be able to upload his files to /var/www/vhosts/customera/htdocs, so he will need read/write access to that directory. The same goes for Customer B, who will need read/write access to /var/www/vhosts/customerb/htdocs. First, we create a  Linux user for each customer. This will also create a Linux group for the user, and the group will have the sane name as the username. Let's set up the user accounts:

useradd customera
useradd customerb

With the user accounts created, we need to give read, write and execute rights to users and groups to their relevant web directories. We first change the ownership of the web directories to their respective usernames and groups:

chown -R customera.customera /var/www/vhosts/customera
chown -R customerb.customerb /var/www/vhosts/customerb

We then grant full read, write, execute rights to the users and groups and no rights to everyone else:

chmod 770 /var/www/vhosts/customera/htdocs
chmod 770 /var/www/vhosts/customerb/htdocs

 In order to grant access to the web directories, we add the apache user to the customer groups:

usermod -a -G customera,customerb apache

 And confirm that the apache user has been added to the customer groups

[root@webserver vhosts]# id apache
uid=48(apache) gid=48(apache) groups=48(apache),500(customera),501(customerb)

Content Management System Permissions

For CMS such as Joomla, ensure that the correct permissions are in place by running the following commands inside each /htdocs/ directory:

cd /var/www/vhosts/customera/htdocs
 find . -type d -exec chmod 775 {} \;
 find . -type f -exec chmod 664 {} \;

cd /var/www/vhosts/customerb/htdocs
 find . -type d -exec chmod 775 {} \;
 find . -type f -exec chmod 664 {} \; 
Written by  4 comments
Last modified on Tuesday, 09 December 2014 14:41
Rate this item
(1 Vote)

Comments (4)

  1. Travis

Thanks; this is very helpful. But what if you have a *third* user (an admin of sorts—let's call them "webadmin") who needs access to *both* directories? Would you just add the "webadmin" user to the "customera" and "customerb" groups?

It seems...

Thanks; this is very helpful. But what if you have a *third* user (an admin of sorts—let's call them "webadmin") who needs access to *both* directories? Would you just add the "webadmin" user to the "customera" and "customerb" groups?

It seems like that would do the trick—but then "webadmin" would have access to any <em>other</em> directories that "customera" and "customerb" happen to own, which might not be what you want.

Read More
  Attachments
 
  1. Chris Allen

Forgive me if I'm wrong, but shouldn't it be

chown -R customera:customera /var/www/vhosts/customera


with a colon to seperate user:group, rather than a dot?

  Attachments
 
  1. Rynardt Spies    Chris Allen

Ah yes, well spotted.

I'm just a bit old school when it comes to Linux. I understand that more recent releases of Linux prefers user:group, but is still backwards compatible with user.group for now. I just grew up with Linux always accepting...

Ah yes, well spotted.

I'm just a bit old school when it comes to Linux. I understand that more recent releases of Linux prefers user:group, but is still backwards compatible with user.group for now. I just grew up with Linux always accepting user.group.

I guess in future we should just stick with user:group.

Thanks

Read More
  Attachments
 
  1. sarapaul

nice info i appreciated

  Attachments
 
There are no comments posted here yet

Leave your comments

Posting comment as a guest. Sign up or login to your account.
0 Characters
Attachments (0 / 3)
Share Your Location

Hello @SeaTacAirport. Its only been a week since we last caught up! But I'm back. This time only a 4hour layover, b… https://t.co/Diqpxnidxi
Follow Rynardt Spies on Twitter