Hi all, I'm trying to work out the optimal ownership and permissions for web hosting, where the site owner (or their developers etc) need access to install code, themes etc, and read logs.
I also generally prefer sites not to be able to write their own code - I know the likes of WordPress don't normally like running in such an environment, but I understand that can be worked around. My thoughts are to have a dedicated user to run the site (what apache or nginx runs as, for example), and another one that owns the code, and a group that allows the web server to read the code/data. Which user should own transient data, logs etc - I guess that has to be the web server. But then I also prefer not to have shared credentials, so if the site owner has more than one person working on the site, each should sftp as themselves. Can I set it such that the users can chown the files to the 'owner' user? When they only have SFTP access? Or perhaps I should use bindfs or similar trickery to present ownership as theirs, while it's really owned by the 'owner' user? Currently, web sites live under /srv/, and the various useful parts are bind mounted under each relevant login user's home dir. My most common platform is WordPress, but I expect the concepts to work for all or at least most. Any tips? Best practice? Cheers, Richard
signature.asc
Description: OpenPGP digital signature
