...
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subequent directories and files under the respective Web Root Directories to inherit the same permissions.
This is just not possible using standard Unix groups.
...
Directory Structure and
...
First create the groups following the standards of the Bonsai Framework,
Code Block | ||
---|---|---|
| ||
sudo --gid 4000 wgdailyplanet
sudo --gid 4010 wglexcorp
sudo useradd -d /opt/web/php/dailyplanet01 -m -g wgdailyplanet -u 4000 -c "clark.kent@dailyplanet.com" -s /bin/bash dailyplanet01
sudo useradd -d /opt/web/php/lexcorp01 -m -g wglexcorp -u 4010 -c "lex.luthor@lexcorp.com" -s /bin/bash lexcorp01 |
Creating the Directory Structure and Permissions
...
...
Permissions
These directories start at /opt/
Directory | Permissions | ACL | ACL(default) |
---|---|---|---|
./web/ | rwXr-X--X | www-data:rX | www-data:rX |
./web/php/ | rwXr-X--X | www-data:rX | www-data:rX |
./web/php/tmp/ | rwXr-X--- | www-data:rwX | www-data:rwX |
,/web/php/logs/ | rwXr-X--- | www-data:rwX | www-data:rwX |
,/web/php/dailyplanet.com/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
,/web/php/dailyplanet.com/www/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
,/web/dailyplanet.com/blog/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
,/web/dailyplanet.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wgdailyplanet:rwX | www-data:rwX wgdailyplanet:rwX |
./web/php/lexcorp.com/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
,/web/lexcorp.com/www/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
,/web/lexcorp.com/blog/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
,/web/lexcorp.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wglexcorp:rwX | www-data:rwX wglexcorp:rwX |
All directories must be owned by serveradmin:staff
Creating Users and Groups
First create the groups following the standards of the Bonsai Framework,
Code Block | ||
---|---|---|
| ||
sudo --gid 4000 wgdailyplanet sudo --gid 4010 wglexcorp sudo useradd -d /opt/web/php/dailyplanet01 -m -g wgdailyplanet -u 4000 -c "clark.kent@dailyplanet.com" -s /bin/bash dailyplanet01 sudo useradd -d /opt/web/php/lexcorp01 -m -g wglexcorp -u 4010 -c "lex.luthor@lexcorp.com" -s /bin/bash lexcorp01 |
Create Directories
web Folder
Start by creating the web folder in your home directory so you do not have to keep sudo
...
Code Block | ||
---|---|---|
| ||
cd php setfacl -Rm g:www-data:rwX tmp getfacl --access ./tmp/ | sudo setfacl -d -RM - ./tmp/ setfacl -Rm g:www-data:rwX logs getfacl --access ./logs/ | sudo setfacl -d -RM - ./logs/ |
Next move the web folder to the opt directory and make serveradmin:staff own it
Code Block | ||
---|---|---|
| ||
cd ~ sudo mv web /opt/ cd /opt/ sudo chown -R serveradmin:staff web |
...