a few different approaches:
* create a group called, say, "webusers" and put all
useraccounts int that group including webmister.
set the permissions on all content you want webmister
to access so that the group write bit is on.
doing this will allow webmister to access all of the
accounts, with the downside being that, well, anyone
can access anyone elses account. probably not a good
plan, but it's simple.
* create a group for each user (like, for user "joe",
make a group called "joegroup"). the only members of
each group are the user themself and webmister.
set the permissions such that each item you want webmister
to access has the group write bit set. the downside
to this is that it's a maintenance headace if you've
got a lot of users for which you have to create groups
for.
* if webmister only needs to do a few simple things in each
user's directories, you could grant sudo access to those
commands (if you're able to install sudo), say for vi
to edit files, or cp to copy files. this is a difficult
scenario because you're basically running those commands
as root. if you were only having to copy files on a regular
basis (say, as a propagation mechanism) you could write
a script to do the work and have the script run with
SGID privileges. if you go this route, use Perl and
enable taint perl. unless you're a pretty rigorous programmer,
though, i'd advise against going this route altogether.
some general points:
* unless you have a specific reason to do so, don't make
things world writable.
* the webserver user (usually "nobody") should only have
write access to the filesystem where you want it to (log
files, data files, etc.). you should isolate out these
locations (place all logfiles in a directory called, ummm,
logs, and set permsissions appropriately).
* if you want to allow the webserver to list the contents
of a directory then it needs to be readable by the webserver
user. (i.e. chmodding directories to 711 will disable the
server listing directories). unless theres' stuff you really
don't want people to see in various directories, setting
directories to 711 is pretty impractical and doesn't really
buy you anything.
* if you take the read bit off for world on files, you're going
to get a 403 error when trying to read them (the webserver
doesn't have "read" access).
* the problem you're facing is identical to the problem that
sendmail (or, any MTA) has: it needs write access to everyone's
mail spool file (/var/spool/mail/<username> on many systems) to
append to email, but no one can be allowed to read anyone else's mail.
sendmail gets around this problem in the manner of #3 above
(i.e. it switches to the user who owns the mail spool file when it
writes to that file).
you've basically stumbled onto one of the weak areas of unix
security, and one which people usually throw up there hands
about and chmod everything to 777. hang in there :)
HTH
--e--
On Wed, May 10, 2000 at 04:06:33PM -0500, David Knaack wrote:
> Greetings,
>
> I am trying to get my RH6.1 box set up to make maintaining the
> web sites hosted on it easy to do. Web files live in a user
> directory in /home/<username>/html. I also have a user called
> webmister, and in his home directory, I have symlinks to all the
> sites that are hosted off the box. The virtual website path is
> then /home/webmister/<sitename>.
>
> I want to set up the file permissions so that <username> has
> full rights to their html directory, so they can maintain their
> files, and I also want user webmister to have full rights to
> change files in /home/webmister/<sitename>, so that he can
> maintain files on behalf of the user.
>
> Naturally the web server has to be able to get to everything too.
>
> Preferably /home/<username> should not be world-readable, which
> it is now. If I 'chmod 700' on that directory, the webserver
> can no longer get to the files, even though I have it looking
> at them as /home/webmister/<sitename>.
>
> All files in /home/<username> should be owner.group to <username>.
> I was hoping that I could put the webmister user into each of the
> <username> groups, and then it would be able to change files in
> the symlinked directory (since the <username> group will have
> full permissions to them).
>
> I'm pretty sure I just don't understand how file permissions
> work, but I've been trying to make this work for a while, and
> I'm not having much luck. Probably the most baffling part is
> Apache not being able to see the files when I change the permissions
> on /home/<username>, when its not accessing the files through
> that path.
>
> Thanks,
> DK
> --
> "When you pay off the firstbaseman every month, who gets the money?"
> "Every dollar of it." --Who's on First?
>
>
