[CentOS] Groups

Mon Jan 31 17:54:50 UTC 2011
Nicolas Thierry-Mieg <Nicolas.Thierry-Mieg at imag.fr>

m.roth at 5-cent.us wrote:
> Todd wrote:
>>
>>>>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>>>>> cannot accomplish this. I don't allow root logins over ssh...
>>> <snip>
>>>> Would I change /var/www/html/<my domain>  owner to myid:mygroup? I am
>>>> not sure the famifications of this and how Apache would behave, etc.
>>>
>>>> The whole of /var/www can belong to myid:mygroup as long as the apache
>>> <snip>
>>
>>> Not a great idea. Rather, I'd recommend that it be the apache user
>>> (apache or httpd, whichever you have it as, and have the directory of a
> group
>>> that you belong to (remember, you can have multiple secondary groups,
> like,
>>> say, group httpd), and make it group writeable.
>>
>> I don't quite follow.
>>
>> if I do a 'getent groups' I do have apache as a group.
>
> Or if you just type "groups" from the command line....
>>
>> So you are saying set the owner of /var/www/html<my domain>  and all files
>> below to apache:apache and then add my personal id to the apache group?
>
> And make the directory you want to upload stuff into, not /var/www/html,
> but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then
> sudo usermod -G apache myusername

again: this is bad advice, httpd is runing as user apache so you should 
avoid giving that user write access to stuff in /var/www/ unless it 
needs to (CGI, file uploads, etc...).
The apache user only needs read access. The users editing the content 
need write access.
Make /var/www/* owned by root, or yourself, or some brand new account, 
but not by apache. Then use groups and sgid bits to give write access 
(to relevant subdirs) to whoever needs to edit the content.