Home / server / Questions / 1073395
In Process
mahen3d
Asked: 2021-08-04 02:50:49 +0800 CST

Centos - Deploy Web Application - What is the best way using non-apache User Account with SFTP/WinSCP

  • 772

I have a simple question, however, I am struggling to understand how to do this in a secure manner,

I have a PHP-based web application that runs on Linux (Centos7), I have "user" access with Sudo privilege on the Linux server.

The web server (Apache) runs as an "apache" user with an "apache" group,

The problem is when I try to deploy applications using WinSCP, I get permission denied errors, the ONLY way I can solve this problem is to do a

usermod -g apache myusername
chmod 775 /var/www/html

I don't want to give 775 to the entire web folder, I think it's a big security issue, What is the most secure way to archive this type of task?

How can I deploy my app using Winscp with my user account but AS apache user? or any other suggestions on common industry practice that is considered safe?

centos sftp apache2

1 Answers

  1. There are multiple recommended ways to solve this issue.

    1. Add write access on /var/www/html to the user who logins through WinSCP/SFTP. This can be done in multiple ways.
      • Changing the group to the running user (and grant write access) 
        sudo chgrp <user> /var/www/html
sudo chmod g+w -R /var/www/html
        Note: This works because there is always a unix group created for users.
      • Creating a new unix group containing both apache and the user (and grant write access) 
        sudo groupadd <groupname>
sudo chgrp <groupname> /var/www/html
sudo chmod g+w -R /var/www/html
    2. Run the apache service as the user login in through WinSCP/SFTP. (link)
    3. Move apache document root from /var/www/html (Simply by creating a symlink from /var/www/html to a directory owned by deployment user or by updating the apache configuration)
    • 1