I'm setting up a shared web server running Apache. Each web root will belong to a department, which has a corresponding Active Directory group to give access. So far I've got samba working and such, but am having some trouble wrapping my head around the necessary permissions to make all this work, especially securely. So far I've found that both the POSIX and the ACL permissions must both allow a user to write to directory which is proving problematic. Is it better to give the web root directories very "loose" permissions and have Samba manage who can access the folders?
A few options I've come across would have a user's logged in account mapped to the "apache" user through samba, using the "force user", but that seems like a security risk allowing users to be apache. Another option I currently have working is using a default ACL for apache to give the web server read of all the files. The problem I have with this is some directories require write and some files should have read only (like db config files), so again a global permission set doesn't seem to work.
I'd be very interested in knowing how someone has solved a problem like this.
Thanks
- Trey