Page History

...

We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subequent directories and files under the respective Web Root Directories to inherit the same permissions.

This is just not possible using standard Unix groups.

...

Directory Structure and

...

First create the groups following the standards of the Bonsai Framework,

sudo --gid 4000 wgdailyplanet
sudo --gid 4010 wglexcorp
sudo useradd -d /opt/web/php/dailyplanet01 -m -g wgdailyplanet -u 4000 -c "clark.kent@dailyplanet.com" -s /bin/bash dailyplanet01
sudo useradd -d /opt/web/php/lexcorp01 -m -g wglexcorp -u 4010 -c "lex.luthor@lexcorp.com" -s /bin/bash lexcorp01

Creating the Directory Structure and Permissions

...

...

Permissions

These directories start at /opt/

All directories must be owned by serveradmin:staff

Creating Users and Groups

First create the groups following the standards of the Bonsai Framework,

sudo --gid 4000 wgdailyplanet
sudo --gid 4010 wglexcorp
sudo useradd -d /opt/web/php/dailyplanet01 -m -g wgdailyplanet -u 4000 -c "clark.kent@dailyplanet.com" -s /bin/bash dailyplanet01
sudo useradd -d /opt/web/php/lexcorp01 -m -g wglexcorp -u 4010 -c "lex.luthor@lexcorp.com" -s /bin/bash lexcorp01

Create Directories

web Folder

Start by creating the web folder in your home directory so you do not have to keep sudo

...

cd php
setfacl -Rm g:www-data:rwX tmp
getfacl --access ./tmp/ | sudo setfacl -d -RM - ./tmp/
setfacl -Rm g:www-data:rwX logs
getfacl --access ./logs/ | sudo setfacl -d -RM - ./logs/

Next move the web folder to the opt directory and make serveradmin:staff own it

cd ~
sudo mv web /opt/
cd /opt/
sudo chown -R serveradmin:staff web

...