0

I've got a server setup where a couple users will need access to the webroot and subfolders. How do I ensure that the files they upload have the proper permissions to be seen by apache and allow them to edit/delete files as necessary

user132203
  • 1
  • possible duplicate of [FTP and Apache permission issues](http://serverfault.com/questions/184548/ftp-and-apache-permission-issues) – quanta Aug 15 '12 at 02:46

2 Answers2

1

Just add both users to a specific group and have that ftp path owned by that specific group.

groupadd ftpWebGroup
usermod -a -G ftpWebGroup ftp
usermod -a -G ftpWebGroup apache
chown -R :ftpWebGroup WEBROOTPATH  #recursively change group ownership to ftpWebGroup
chmod -R g+rw WEBROOTPATH #give r/w group permission
vagarwal
  • 845
  • 6
  • 8
Jay
  • 149
  • 1
  • 9
  • I'm not sure your solution can work in real life : Imagine a website visitor uploads a file via a php script; The new file will belong to apache user and group and wont be writable by ftp users. –  Aug 15 '12 at 11:34
  • I see what you mean. But within the script could you just use the copy instead of move_uploaded_file. Since the copy command takes the permissions from apache including the groups that it is a part of ie apache and ftpWebGroup in this case? @toxboi thanks for the fix on the useradd silly me existing users. – Jay Aug 15 '12 at 14:52
0

You can achieve more advanced control (and inheritence!) over standard unix permissions and umasks with ACL's. As always, with more control comes more complexity.

Firstly the filesystem on your device needs to be mounted with the ACL option (assuming Linux extended file system here). This could already be available... if not:

You can add a default mount option to the device: tune2fs -o acl /dev/device Then either reboot or manually remount the disk. Note you may need to edit /etc/fstab to include the "acl" option if your not mounting with the "default" that you modified above.

Now your're ready to get and set ACLs with getfacl and setfacl.

What you need is a default user/group permission on the directories which will then be inherited by any files contained or created within.

setfacl -m d:group:yourNewGroupForYourFtpUsers:rwx /webroot/site/

touch /webroot/site/testfile
mkdir /webroot/site/testdir
touch /webroot/site/testdie/testfile

Then a getfacl on each path should all include a line like group:yourNewGroupForYourFtpUsers:rwx

If you've not used ACLs before you might need to check some external tools that deal with files also support ACLs. Backups/Restores etc.

Matt
  • 1,537
  • 8
  • 11