As part of refining my Apache web server which runs multiple sites I’ve create a user account, database account and home folder per site so for example the site example.com has a user account example, a database account example and a web folder located at:
/home/example/public_html
The corresponding Apache VirtualHost for this site is:
<VirtualHost *:80>
ServerAdmin admin@example.com
ServerName www.example.com
ServerAlias example.com
ErrorLog /var/log/apache2/error.example.com.log
LogLevel warn
CustomLog /var/log/apache2/access.example.com.log combined
DocumentRoot /home/example/public_html
<IfModule mod_suexec.c>
SuexecUserGroup example example
</IfModule>
</VirtualHost>
Previously to ensure PHP scripts worked I had a Bash cron job to loop over all the user’s public_html folders and set the owner on the public_html folder to the apache user www-data.
Not ideal.
So after a few hours of digging I managed to deploy a solution both secure and flexible, allowing users to logon and edit their web pages without permissioning headaches.
Assuming a basic Apache setup first install the Apache suPHP and suEXEC modules:
sudo apt-get install libapache2-mod-suphp apache2-suexec
Enable the modules:
sudo a2enmod suexec
sudo a2enmod suphp
The suPHP module replaces the Apache PHP4 and PHP5 modules. Having both active prevents suPHP from working properly so you’ll need to disable the PHP4 and PHP5 modules:
sudo a2dismod php4
sudo a2dismod php5
Finally you’ll want to set the permissions on the user folder:
find ~/public_html/ -type f -exec chmod 644 {} \;
find ~/public_html/ -type d -exec chmod 755 {} \;
To get this setup even better I’d ideally like to set those permissions to 600 and 700 respectively but that’s a job for tomorrow.