We have a web folder /var/www/somesite that's a root for one of the sites. Apache serves files out of here.
It is an svn checkout, so that updates could be done by using svn up.
Everything has been going great when I use the root user to update, but now I need to give access to other people to make deployments, and it doesn't seem to be easy to do using regular users.
I have created a group called staff and added the new user to it, lets say user1.
I ran the following commands to set the permissions
find . -type d -exec chmod 2775 {} ; find . -not -type d -exec chmod 0664 {} ; chown user1.staff .
This allows the user to make deployments.
Now comes in user2. User2 is also a member of group staff, so he can also make deployments. We haven't ran into any issues yet, but I believe as long as the files are owned by staff, both users can change the files, no matter which one of them owns it.
Now we also need to give apache write access to a folder. Lets say /var/www/somesite/files.
There are several options here. - We can add apache to the staff group, but this would give apache access to the whole /var/www/somesite tree. - We can change the group to apache. We will need to add user1 and user2 to the apache group. One of the problems with this is that the users would have access to everything that apache has access to. Another problem is that while user1 can run chmod -R user1.apache files, it will fail if the files are owned by someone else (like user2 or apache). Is there a way to get around this?
Am I going about this the wrong way?
Russ
From: Ruslan Sivak russ@vshift.com
We have a web folder /var/www/somesite that's a root for one of the sites. Apache serves files out of here. It is an svn checkout, so that updates could be done by using svn up. Everything has been going great when I use the root user to update, but now I need to give access to other people to make deployments, and it doesn't seem to be easy to do using regular users.
What do you mean by deployments? svn ups?
Would a sudo specific/secure deployment script run as root do the job?
The script would verify what the user tries to do and then, if legit, do it...
All dirs/files would still be owned by root.
JD