[CentOS] Groups

Mon Jan 31 18:14:01 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

Nicolas Thierry-Mieg wrote:
> m.roth at 5-cent.us wrote:
>> Todd wrote:
>>>
>>>>>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>>>>>> cannot accomplish this. I don't allow root logins over ssh...
>>>> <snip>
>>>>> Would I change /var/www/html/<my domain>  owner to myid:mygroup? I am
>>>>> not sure the famifications of this and how Apache would behave, etc.
>>>>
>>>>> The whole of /var/www can belong to myid:mygroup as long as the
>>>>> apache
>>>> <snip>
>>>
>>>> Not a great idea. Rather, I'd recommend that it be the apache user
>>>> (apache or httpd, whichever you have it as, and have the directory of
>>>> a group that you belong to (remember, you can have multiple secondary
groups,
>>>> like, say, group httpd), and make it group writeable.
<snip>
>>> So you are saying set the owner of /var/www/html<my domain>  and all
>>> files below to apache:apache and then add my personal id to the apache
group?
>>
>> And make the directory you want to upload stuff into, not /var/www/html,
>> but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then
>> sudo usermod -G apache myusername
>
> again: this is bad advice, httpd is runing as user apache so you should
> avoid giving that user write access to stuff in /var/www/ unless it
> needs to (CGI, file uploads, etc...).
> The apache user only needs read access. The users editing the content
> need write access.
> Make /var/www/* owned by root, or yourself, or some brand new account,
> but not by apache. Then use groups and sgid bits to give write access
> (to relevant subdirs) to whoever needs to edit the content.

Well, root wouldn't work for him, since he's preventing remote login. But
making the directory - and I did mean something *under*
/var/www/html/his_site, *not* his whole site - of webmin group, or
whatever he wants, and adding himself to that group, then making that
group writeable, would seem to me to meet both his needs and your
suggestions, Nicolas.

          mark