I wasn't sure if this question belongs here or on SO. I can move it there if needed.
In any decent Apache configuration, Apache will run as its own ID; www-data for example. And this ID will not have permissions to list and CRUD files as other OS accounts. This is by security design.
I want to be able to, somehow, have Apache list or CRUD files as another OS account. For example, listing files in the account's home directory or creating a new text file in the account's home directory.
I know one solution is to use file/folder group permissions but I can't do that because I cannot muck with file/folder ownership or permissions.
I looked into suEXEC, suPHP, and php-fpm but none of them will work because they will run scripts as the owner of the script. In my case I am running commands like cp or mv as an arbitrary number of OS accounts. The only way I could use these tools is to have a script for each OS account. Or have a script owned by root but that doesn't sound secure.
So then I got to thinking about sudo. I could give www-data sudo privileges as the OS accounts.
Example of an entry in the sudoers file:
www-data ALL = (osAccount1) NOPASSWD: /bin/ls, /bin/mv
www-data ALL = (osAccount2) NOPASSWD: /bin/ls, /bin/mv
But this just stinks of risk. I cannot pin-point how or why -- it just feels ugly.
Is there anyway to do what I want?
The traditional User-Group-Other file permissions (
chmodchownchgrp) make that difficult but you can use Access Control Lists to set much more granular permissions in addition to those. The method varies a bit per filesystem and version but think (re)mounting the filesystem with acl support and usesetfaclorsetrichaclto set additional ACL’s to the existing UGO permissions that will grant your webserver the desired access.https://en.wikipedia.org/wiki/Access_control_list
https://www.systutorials.com/docs/linux/man/7-richacl/