My apache server is currently running under user "www-data". However, this user doesn't have the permissions to access /home/username/www. What is the best way to give Apache the right permissions so that it can access all /home/*/www directories? Is there anyway to set a different user for Apache depending on which document root it is serving?
1
- In my times it was user responsability to put ********x to their home directories.LatinSuD– LatinSuD2010-09-25 21:51:12 +00:00Commented Sep 25, 2010 at 21:51
Add a comment |
3 Answers
The typical way to do it is the change the group of those directories to www-data and allow executable access to the group:
chgrp www-data /home/*
chmod g+x /home/*
chgrp -R www-data /home/*/www
chmod -R g+x /home/*/www
This assumes that www-data is a pre-existing group (it usually is). If not replace www-data above with web and do the following first:
groupadd web
usermod -aG web www-data
Personally I'd do it with an ACL, but I don't know if setfacl is an option on Ubuntu:
setfacl -m user:www-data:r-x /home/*
setfacl -R -m user:www-data:rwx /home/*/www
setfacl -d -R -m user:www-data:rwx /home/*/www
You have a couple options here...
First, you could use groups for this. Create a group for this purpose (or use a pre-existing group). Add the apache user to that group. Set the group owner of those directories to the group you previously created. Allow group read access and execute on directories.
Second, you can set up suexec with apache. Using this, apache processes for each specific vhost would get started with that "user's" account, thereby allowing that process to access the appropriate directories.
Here is how I did it:
chgrp www-data /home/*; chgrp www-data /home/*/www/; chmod g+s /home/*/www/; #So that every newly created file inherits the group www-data - 3It's ok to add comments on exactly how you accomplished something, but since somebody else provided those exact steps and more details in an answer several days earlier, good etiquette would have you accept their answer as correct. If people are going to go to the work of providing answers they need to be given credit for it, and the way this site works, you rehashing the data in an answer to your own question prevents that.Caleb– Caleb2011-04-20 08:49:37 +00:00Commented Apr 20, 2011 at 8:49