0

I've been at this all day and think I finally figured it out, but want to make sure before I put it into production.

I'm changing my server to allow the apache:apache user write permission on a few directories. I'm the only user jeff:jeff on the server.

My directory structure looks something like this:

/home/jeff/www/                       0755 jeff:jeff
/home/jeff/www/example1.com/          0755 jeff:jeff
/home/jeff/www/example2.com/          0755 jeff:jeff
/home/jeff/www/example2.com/uploads/  0755 apache:apache

The problem is:

I run chmod apache:apache uploads/ to allow apache write access.

Whenever I want to edit a file in uploads/ via sftp, I have to chown it back to jeff:jeff, then reverse when I'm done.

My preliminary solution is:

  • Add apache user to jeff group
  • Give jeff group write permission on uploads/ dir via manual chmod 775
  • Force apache user to create any new files + folders + subfolders as apache:jeff. Requires setgid 2775 on uploads/ dir
  • Force apache user to create any new files + folders + subfolders with umask 002 = 775 via systemd

I'm only about 50% sure I've got all this right.

Does it sound okay? Is there a better way? Did I miss anything?

With Jim's help, here is the final solution I used:

For my reference.

# usermod --append --groups apache jeff

> Relogin all sessions

# chown -R apache:apache www/example.com/uploads/
# find www/example.com/uploads/ -type d -exec chmod 775 {} \;
# find www/example.com/uploads/ -type f -exec chmod 664 {} \;

# systemctl edit --full php.service

-----------
[Service]
UMask=0002
-----------

# systemctl daemon-reload
# systemctl restart php

WordPress users will want to add this to their wp-config.php:

define('FS_CHMOD_DIR', 0775);
define('FS_CHMOD_FILE', 0664);
Improve this question

1 Answer 1

Reset to default
2

Yes, that's the general idea, and you're fairly close, but I would suggest that rather than adding the apache user to the jeff group, it would be slightly more secure and perhaps a tad more convenient (and extensible, if that's important) to do it the other way 'round:

  1. Take apache out of the jeff group.

  2. Instead, add jeff to the apache group. For starters, this prevents apache from having read access to all the jeff group files.

  3. chown the uploads/ directory to be apache:apache and chmod 775 so that anyone in the apache group can create/delete files there.

  4. Have apache create files using umask 2 so that anything apache creates is group-writeable.

This way:

A) You no longer have to chown files before you can edit them; all the upload files are owned by group apache, are group-writable, and you already belong to the apache group.

B) You have the ability to easily add other users to the apache group and they, too, will be able to edit uploaded files.

Improve this answer
4
  • Thanks, I'll give this a try tomorrow morning. What about the setgid 2775 part? Is that still required? My understanding is this forces any files/folders under the 2775 directory to have the same group as the parent dir. Commented Apr 25, 2023 at 11:45
  • @Jeff If you can remember/script to umask 2 before doing any work in this directory, then that's enough. If you don't want to remember to do that each time, then setgid 2775 is a robust alternative. Commented Apr 25, 2023 at 12:17
  • I see now that using Jim's answer, I no longer need to worry about setgid because the group stays apache. Commented Apr 25, 2023 at 15:08
  • Adding users to apache group would mean that david also can access jeff's apache files Commented Dec 10, 2023 at 5:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.