[CentOS] Groups

Mon Jan 31 18:14:01 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

Nicolas Thierry-Mieg wrote:
> m.roth at 5-cent.us wrote:
>> Todd wrote:
>>>>>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>>>>>> cannot accomplish this. I don't allow root logins over ssh...
>>>> <snip>
>>>>> Would I change /var/www/html/<my domain>  owner to myid:mygroup? I am
>>>>> not sure the famifications of this and how Apache would behave, etc.
>>>>> The whole of /var/www can belong to myid:mygroup as long as the
>>>>> apache
>>>> <snip>
>>>> Not a great idea. Rather, I'd recommend that it be the apache user
>>>> (apache or httpd, whichever you have it as, and have the directory of
>>>> a group that you belong to (remember, you can have multiple secondary
>>>> like, say, group httpd), and make it group writeable.
>>> So you are saying set the owner of /var/www/html<my domain>  and all
>>> files below to apache:apache and then add my personal id to the apache
>> And make the directory you want to upload stuff into, not /var/www/html,
>> but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then
>> sudo usermod -G apache myusername
> again: this is bad advice, httpd is runing as user apache so you should
> avoid giving that user write access to stuff in /var/www/ unless it
> needs to (CGI, file uploads, etc...).
> The apache user only needs read access. The users editing the content
> need write access.
> Make /var/www/* owned by root, or yourself, or some brand new account,
> but not by apache. Then use groups and sgid bits to give write access
> (to relevant subdirs) to whoever needs to edit the content.

Well, root wouldn't work for him, since he's preventing remote login. But
making the directory - and I did mean something *under*
/var/www/html/his_site, *not* his whole site - of webmin group, or
whatever he wants, and adding himself to that group, then making that
group writeable, would seem to me to meet both his needs and your
suggestions, Nicolas.