Group Permission on public_html

Question

Possible Duplicate:
Permissions: What's the right way to give Apache more user permissions?

Before I knew better, I used /home/someuser/public_html/scripts as a place from which shared scripts could be accessed by various users' php scripts.

include('/home/someuser/public_html/scripts/somefile.php');

Something changed when we went from one server to another and now the only way that was working was to set public_html to 0755. Since we now have some customers with access to their own accounts, this is not acceptable. I tested a work around by adding a user to the same group as someuser and putting another folder at /home/someuser/test_folder and setting it to 0750. Now my users who share the group can access test_folder. A user that is not in the group cannot, but if I chmod public_html from 755 to 750, I get permission errors even from the users that are in the same group. I checked lsattr and the only attrib that is set is "I" on public_html

Any ideas on what to try next?

Your description isn't very clear, but if I understand correctly you did the right thing. Copy-paste the output of `ls -ld /home/someuser /home/someuser/public_html /home/someuser/public_html/scripts /home/someuser/public_html/scripts/somefile.php` and of `su -c groups user1` where user1 is not in the group. — Gilles 'SO- stop being evil', Aug 17 '12 at 18:24
I found out that I was mistaken. public_html was (is) in the "nobody" group, and so is apache, so my grouping idea won't work. — TecBrat, Aug 17 '12 at 18:49
Don't let any file belong to `nobody` or run any process as `nobody`: that's what it's for. Create another group. And use access control lists (ACLs) to manage permissions, that's almost always the answer to website permission woes. — Gilles 'SO- stop being evil', Aug 17 '12 at 21:25
Or [How to configure permissions to allow apache to securely have access to a file in a shared environment?](http://unix.stackexchange.com/q/44919) — Gilles 'SO- stop being evil', Aug 17 '12 at 21:27

TecBrat · Accepted Answer · 2012-08-17T20:56:14.073

0

The solution was # setfacl -m g:someuser:rx /home/someuser/public_html

Read that like this "Set File Access Control List, Modify, Group:someuser:read,execute, /home/someuser/public_html"

This forum question is what pointed me in the right direction.

edited Aug 17 '12 at 20:56

answered Aug 17 '12 at 20:43

TecBrat

137
11

Group Permission on public_html

1 Answers1