Monday, February 29, 2016

apache 2.2 - var/www permissions and FTP

There are many threads about this topic but many are subjective since it's such a flexible subject, so I hope I'm asking an objective question relevant to my setup which is: is this is a sensible approach to the problem of Apache and FTP permissions.



Ubuntu 12.04 LTS 64 bit LAMP server running in Amazon's EC2; Apache2, MySQL, PHP.




Apache2 runs under www-data.



Apache2 default site disabled.
Site: mysitename.com enabled.



sitesavailable/mysitename.com configured, with DocumentRoot and the Directory directive to point to /mnt/ebs1/public_html



In order to FTP files to the above public_html directory and also be able to manage them from the terminal, I created two specific user accounts and a group:




remote-system-user
remote-ftp-user
group: ftp



remote-system-user is a member of the admin group so is able to perform sudo operations at the terminal, and also the ftp group. It was created with 'adduser' and has a home directory.



remote-ftp-user is only a member of the ftp group. It was created with 'useradd' and does not have a home directory.



I then set permissions on /mnt/eb1/public_html like this:




sudo chgrp -R ftp /var/www
sudo chmod -R g+w /var/www



I use proFTPd as an FTP server, and using it's conf file, I jail the FTP user to /mnt/ebs1/public_html



Other than perhaps choosing a better name for the ftp group, since it's a bit illogical if the remote SSH user is also a member, what are people's comments on this setup?



The objective is to not give www-data full permissions to the public_html folder, but I will need site users to be able to upload files. I intend to create a folder within public_html which is writable by www-data to solve that issue.



Thank you

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...