Froxlor and websites: confused about permission security

[robin24]

Hi all,

I just moved my Wordpress site from my old webspace over to my new Debian server running Froxlor. Before migrating the files and database, I had created a new domain under my customer account and assigned a new folder to this domain. After moving the files and database, everything worked fine, except I kept getting warnings about missing file permissions whenever I was trying to change something. I checked the folder permissions on the server and found that they were assigned to the correct user and group (robin:robin), also the file permissions looked alright. However, just to be sure, I did a chmod -R 775 so all the files would be user writable, group writable, world readable and world executable (I know this could be a security risk, but I put it in as it's required to open folders, and there aren't any script files in that directory that could be executed anyway).

However, this didn't help whatsoever, I still kept getting the same issues. Then, I thought, hmmm? Isn't it really the www-data group and user that run all the scripts, as these are the user and group that Apache is assigned to? As I didn't want to give all the files a chmod of 777 (thus making them world writable) I run usermod -G www-data robin, thus adding the user which Froxlor created to the www-data group.

Well, after having done this, everything seems to work now since Apache now has write access to all files - well, I guess that's good as long as I'm the only person running php / script-based stuff on the web server. But what if, say, I want to be nice to a mate and let them host their blog on my webspace as well? After all, I'd have to add him to the www-data group as well, thus ultimately giving him unrestricted write access to my own website, something I wouldn't really want to do?

So, the question I really have is: is what I've done really the only possible way out, or am I just missing the obvious? Also, if it *really* is the only way, what can I do so no other "customer" will get write permission on my personal stuff?

Thanks for any help and clarification!!! :-)

Robin

[Shaadea]

Would like to see the answer to that, similar "problem" here, I have several users on the server, and froxlor creates virtual users with their folders under /var/customers/webs that apache has no access to. I really don't want to chmod/chown everything everytime a new user is created, there must be a better way to allow apache access to those "user" folders, without having the crossover problem described above by Robin.

[d00p]

fcgid or mod_php? usually, either way there is no problem with permissions on a clean setup (I never ran into any)

[z3ro]

Hi i'm new to this forum.

 

I have a similar question. Web directory permissions for user i.e. web1

 

The directory could be something like /var/customer/webs/web1 (owner and group web1)

 

If i install Joomla in the directory /var/customer/webs/web1/domainname/ and set the owner and group to web1,

i have to change the permissions for tmp/ and cache/ to 777 to be writable for Joomla.

 

If i use www-data for user and group instead i don't have to change any permissions.

 

Could this be a security issue?

[d00p]

Same question as ALMOST TWO YEARS AGO - it's right above your post. mod_php or fcgid/fpm

[steve_adams]

I'm having similar issues where a different solution has been suggested.

 

So, when a new customer is created and a site created, the home directory of the user is set as owned by the virtual user and virtual group...let's use 10000.10000 for example.

 

Wordpress and other CMS systems want the PHP scripts to be owned by the apache server group and user....on my debian based system this is www-data.www-data

 

I have a php script that uses FTP to upload a photo to a directory within the site and there is no FTP allowance for the www-data.www-data user and group.

 

Normally, one would add a *real* user to the www-data group with a command like :usermod -aG www-data 10000

 

In this case, "user 10000 does not exist" is the result. Can you suggest a way to fix this so that the php scripts within the Wordpress site may still be owned by www-data.www-data and yet those scripts able to upload a file via FTP that has write permissions to the web site's home directory?

 

 

[d00p]

Just  setup libnss-mysql, it will automatically add the www-data user to the customers groups. You should have this setup if you use fcgid/fpm anyway. It also doesn't hurt when using mod_php