There are many threads about this topic but many are subjective since it's such a flexible subject, so I hope I'm asking an objective question relevant to my setup which is: is this is a sensible approach to the problem of Apache and FTP permissions.
Ubuntu 12.04 LTS 64 bit LAMP server running in Amazon's EC2; Apache2, MySQL, PHP.
Apache2 runs under www-data.
Apache2 default site disabled.
Site: mysitename.com enabled.
sitesavailable/mysitename.com configured, with DocumentRoot and the Directory directive to point to /mnt/ebs1/public_html
In order to FTP files to the above public_html directory and also be able to manage them from the terminal, I created two specific user accounts and a group:
remote-system-user
remote-ftp-user
group: ftp
remote-system-user is a member of the admin group so is able to perform sudo operations at the terminal, and also the ftp group. It was created with 'adduser' and has a home directory.
remote-ftp-user is only a member of the ftp group. It was created with 'useradd' and does not have a home directory.
I then set permissions on /mnt/eb1/public_html like this:
sudo chgrp -R ftp /var/www
sudo chmod -R g+w /var/www
I use proFTPd as an FTP server, and using it's conf file, I jail the FTP user to /mnt/ebs1/public_html
Other than perhaps choosing a better name for the ftp group, since it's a bit illogical if the remote SSH user is also a member, what are people's comments on this setup?
The objective is to not give www-data full permissions to the public_html folder, but I will need site users to be able to upload files. I intend to create a folder within public_html which is writable by www-data to solve that issue.
Thank you
No comments:
Post a Comment