I'm setting up an Ubuntu server that will have 3 or 4 VirtualHosts that I want users to be able to work in (add new files, edit old files, etc.). I currently plan on storing the sites in /var/www
but wouldn't be opposed to moving it.
I know how to add new users, I know how to add new groups. I'm unsure of the best way to handle users being only able to edit some sites. I read over the answers here in this question, so I was thinking I could setup a group and add users to that group, but then they'd all have essentially the same permissions. Am I just going to have to assign each user specific permissions? Or is there a better way of handling this?
Added: I should also note, that I'll have each user login in via SSH/sFTP. The users would never need to do anything else on the server.
Answer
You should use a group for each website. And make all users that need write access to be members of the respective group.
groupadd site1_com
mkdir /var/www/www.site1.com
chgrp site1_com /var/www/www.site1.com
find /var/www/www.site1.com -type d -print0|xargs -0 chmod g=rwxs
chmod -R g+rw /var/www/www.site1.com
usermod -aG site1_com user1
Now each time the users are creating files under /var/www/www.site1.com folder they should use the umask 0002
(in ~/.bashrc or in the deployment script) or they should set the permission for the group to have read write access chmod -R g+rw /var/www/www.site1.com 2>/dev/null
.
Another solution to set the permissions would be to use dnotify. Create /usr/local/sbin/dnotify_handler-reset_perms.sh
script with the following content:
#! /bin/sh
CHANGED_FOLDER=$1
find $CHANGED_FOLDER -maxdepth 1 -mmin 0 -not -perm -g+w -exec chmod g+w {} \;
And add to /etc/rc.local
:
dnotify --recursive /var/www/www.site1.com --create --execute --background /usr/local/sbin/dnotify_handler-reset_perms.sh
No comments:
Post a Comment