I recently bought a VPS and learned a lot from it. I manged to create an ftp user, set it as the owner of my site's document root, add it to the www-user group, set the group as the group of the document root and give files 0775 (0664) permissions.
My question is, if www-data can access and modify the files in the document root, won't the scripts from other sites also be able to modify those files (which are now protected from the public using .htaccess)?
NOTE: I want www-data to have write access since PHP scripts should be able to modify the files.
How to solve this issue?
To solve this issue, you had to run each site instance with its own credential, rather than using
www-data.If using
apache, you can useapache-mpm-itkand itsAssignUserIDparameter to assign a specific user/group to each different site/virtualhost. With this method, bothapache,php,cgi, ecc will be run with the assigned credentials.Another, php-specific approach is
suPHP, which basically runs your php scripts using specific user/group credentials.I think it's best not to let Apache user or group write in all your document root. Use apache-mpm-itk/suPHP/mpm-peruser or not, maybe you should detect which files and directories Apache really needs to write (per site), and give group write permissions only to those files/directories.