2

I'm trying to set correct ACL to all folders used on my shared server. That way other users will be unable to read each other files. What I did so far is next:

Owner of each website folder is owned by separate user and group:

ls -l crm

drwxr-x--- 3 crm         crm         4096 Jan  6 04:54 crm
drwxr-x---  3 mdf        mdf         4096 Jan  8 00:26 mdf
drwxr-x--- 3 dba         dba         4096 Jan  6 04:54 dba

Permissions are set to -rwxr-x---, so others have 0 permission.

But because apache (www-data) need execute permission, by default that will not work (error: AH00035).

That way I've decided to use setfacl and to give www-data execute and read permission:

setfacl -R -m u:www-data:rx /var/www/crm/

getfacl will give:

# file: crm
# owner: crm
# group: crm
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---

Now website works fine, but I'm not sure if what I did is correctly done? Will this kind of configuration be enough to isolate users from reading each other files?

user134969
  • 263
  • 2
  • 7
  • Note that if you allow scripting (PHP, CGI, etc.), you need to check under what user those scripts will run, as well. (Unless you use `suexec`, it's probably the same for all your users.) – Ulrich Schwarz Mar 09 '20 at 06:12
  • I'm running php-fpm - all of them (users) are separated same way as above. – user134969 Mar 09 '20 at 06:13

0 Answers0