On Wed May 10 2000 at 16:06, "David Knaack" wrote:
> Greetings,
>
> I am trying to get my RH6.1 box set up to make maintaining the
> web sites hosted on it easy to do. Web files live in a user
> directory in /home/<username>/html. I also have a user called
> webmister, and in his home directory, I have symlinks to all the
> sites that are hosted off the box. The virtual website path is
> then /home/webmister/<sitename>.
>
> I want to set up the file permissions so that <username> has
> full rights to their html directory, so they can maintain their
> files, and I also want user webmister to have full rights to
> change files in /home/webmister/<sitename>, so that he can
> maintain files on behalf of the user.
Make all users involved with this belong to one unix group.
Make the default umask for all users 002 (ie, -rwxrwxr-x -- enable group write
access).
Set the SGID bit on ALL /home/*/html files:
chmod g+s /home/*/html
This will force group ownership of all (new) files and directories
created in all those directory trees to be group-owned by the
group owner of that directory.
Problem is that users can access (and change) files owned by other
users. (Hmm, with some design considerations perhaps this might be
also be able to be overcome).
> Naturally the web server has to be able to get to everything too.
... which is why world readability and accessability is vital for
a web server to work.
> Preferably /home/<username> should not be world-readable, which
> it is now. If I 'chmod 700' on that directory, the webserver
> can no longer get to the files, even though I have it looking
> at them as /home/webmister/<sitename>.
No, they need to be group and world *accessable* (not necessarily
readable), so chmod them with 711 to do this. The directories
can be accessed, but NOT read.
> All files in /home/<username> should be owner.group to <username>.
Oops. "should"? "must be", "need to be", or "want to be" ?
> I was hoping that I could put the webmister user into each of the
> <username> groups, and then it would be able to change files in
> the symlinked directory (since the <username> group will have
> full permissions to them).
Nope, won't work unless they (1) all belong in the same unix
group, or (2) write permissions for "others" is set, something
that I would not dare recommend anyone doing on a web server.
> I'm pretty sure I just don't understand how file permissions
> work, but I've been trying to make this work for a while, and
> I'm not having much luck. Probably the most baffling part is
> Apache not being able to see the files when I change the permissions
> on /home/<username>, when its not accessing the files through
> that path.
But it _is_ accessing files through that path, and mode 700 stops
that dead. Try it with mode 711.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
