On Thu, Dec 04, 2008 at 12:17:14PM +0800, P.V.Anthony wrote: > Hi, > > I need help with permissions for a folder on a server for web hosting. > The permissions should be secure but must allow for ftp also. It is a > very basic question, please bear with me. > > The web server is apache and the user and group for the web server is > apache. Pureftpd is used for the ftp server. > > Now the domain1.com is being hosted in a folder called domain_1.com and > domain2.com is being hosted in a folder called domain_2.com. > > Thinking of giving the following permission for the folders. > > permission user group folder > drwxrwx--- domain_1.com domain_1.com domain_1.com > drwxrwx--- domain_2.com domain_2.com domain_2.com > drwxrwx--- domain_3.com domain_3.com domain_3.com > > Then apache will be member of groups, domain_1.com, domain_2.com and > domain_3.com. > > Is this correct and secure? Is there another better way? > Correct, yes. Secure, depends, but probably no. If your customers can run cgi programs or php scripts, you might run into trouble. It doesn't matter wether you run a cgi/php from domain1 or domain2, it will normally always run as httpd-user. Now consider some simple code in a cgi like: cat ../../domain2/htdocs/.htpasswd This will normally work without problems from domain1, since this code will be run as httpd-user, that is in group domain_2.com. Apache has a peruser mpm that should work around this problem. Or you could use something like SELinux or AppArmor, but this will require some work.
-- "The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones."