Permissions – How to Assign Correct Permissions to Both Webserver and SVN

One way would be this:

• Have a group for each site, have the persons in that group use umask 0002 so the files they create are read/write for the group and readable for others by default.
• chmod a-rwx the root directory of each site, to prevent access by people outside the allowed group.
• Enable ACLs for your file system, and setfacl -m user:apache:rx that directory to grant read access to the apache user, in addition to the other permissions.

As to the files created by the apache process:

• Reading files created by the apache user should be possible for the relevant group, as long as they are created world-readable.
• Deleting files is possible as long as they reside in a group-writable directory.
• If that is not enough, you could allow your users to sudo to the apache user. Perhaps only to execute specific commands, e.g. add group write permissions using ACLs.

But as you stated, all of the read restrictions can be circumvented if users can run arbitrary scripts as the apache user. To counter that, you could try to have the scripts of one site executed as a specific user in the corresponding group. I believe there is a way to set this up using mod_fcgid. Otherwise apache[suexec] and php[cgi] might work for you.

To get even better isolation, you'd have to have multiple apache processes, running as different users, and perhaps even chrooted to different directories. Or in different OpenVZ units, or different Xen domUs, or on different hardware. As you can see, there are a lot of different isolation levels, each providing better isolation than the one before, at the cost of mre resource demands.

It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.

Example

$ whoami
saml

$ groups
saml wheel wireshark

setup a directory with perms + ownerships

$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/

touch a file as saml in this dir

$ whoami
saml

$ touch somedir/afile
$ ll somedir/afile 
-rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile

This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).

ACLs

If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.

before

$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir

set permissions

$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/

Notice the + at the end, that means this directory has ACLs applied to it.

$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:apache:r-x
default:mask::r-x
default:other::---

after

$ touch somedir/afile
$ ll somedir/afile 
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
$ 

$ getfacl somedir/afile
# file: somedir/afile
# owner: saml
# group: apache
user::rw-
group::r-x              #effective:r--
group:apache:r-x        #effective:r--
mask::r--
other::---

Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.