One way would be this:
- Have a group for each site, have the persons in that group use
umask 0002
so the files they create are read/write for the group and readable for others by default.
chmod a-rwx
the root directory of each site, to prevent access by people outside the allowed group.
- Enable ACLs for your file system, and
setfacl -m user:apache:rx
that directory to grant read access to the apache
user, in addition to the other permissions.
As to the files created by the apache process:
- Reading files created by the apache user should be possible for the relevant group, as long as they are created world-readable.
- Deleting files is possible as long as they reside in a group-writable directory.
- If that is not enough, you could allow your users to
sudo
to the apache user. Perhaps only to execute specific commands, e.g. add group write permissions using ACLs.
But as you stated, all of the read restrictions can be circumvented if users can run arbitrary scripts as the apache user. To counter that, you could try to have the scripts of one site executed as a specific user in the corresponding group. I believe there is a way to set this up using mod_fcgid
. Otherwise apache[suexec]
and php[cgi]
might work for you.
To get even better isolation, you'd have to have multiple apache processes, running as different users, and perhaps even chrooted to different directories. Or in different OpenVZ units, or different Xen domUs, or on different hardware. As you can see, there are a lot of different isolation levels, each providing better isolation than the one before, at the cost of mre resource demands.
It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.
Example
$ whoami
saml
$ groups
saml wheel wireshark
setup a directory with perms + ownerships
$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/
touch a file as saml in this dir
$ whoami
saml
$ touch somedir/afile
$ ll somedir/afile
-rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile
This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).
If you want to get a bit more control over the permissions on the files that get created under the directory, somedir
, you can add the following ACL rule to set the default permissions like so.
before
$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir
set permissions
$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/
Notice the +
at the end, that means this directory has ACLs applied to it.
$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:apache:r-x
default:mask::r-x
default:other::---
after
$ touch somedir/afile
$ ll somedir/afile
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
$
$ getfacl somedir/afile
# file: somedir/afile
# owner: saml
# group: apache
user::rw-
group::r-x #effective:r--
group:apache:r-x #effective:r--
mask::r--
other::---
Notice with the default permissions (setfacl -Rdm
) set so that the permissions are (r-x
) by default (g:apache:rx
). This forces any new files to only have their r
bit enabled.
Best Answer
The easiest way to manage this is with access control lists. They allow permissions to be set for as many users and groups as you want, not just one user and one group like the basic unix permissions.
ACLs need to be enabled on the filesystem. With ext[234] or reiserfs, you need to pass the
acl
mount option. Also make sure you have the ACL utilities installed (acl
package on Debian or Ubuntu).Set an ACL that allows both users to access the files, and set a matching default ACL on directories (the default ACL is inherited by files created in the directory).
You can set different permissions if you like. The executable bit will be ignored if the file is not made executable through the non-ACL permissions (the ones you set with
chmod
).The commands given are for Linux. Many other unix variants support ACLs, but the exact set of available permissions and the utility to set them are not standardized.
You can use groups to control access if you want. Even if you do, ACL have the advantage that you won't run into a umask issue: if you just create a group, you have to ensure that all files and directories are group-writable, which means you have to make sure any process creating a file has a umask of 002 or 007, which in turn may cause permissions elsewhere to be more liberal. So even if you create a group, ACLs are useful.
Note that I make no warranty as to the suitability of this security model to your use case. I'm just providing an implementation.