Problem :
I have created a user and a group named the same (lighttpd:lighttpd)
Now I have to start the lighy server with these user:group… ok
Now, I have added a website (vhost) to run with lighy, it works well, but I have a question about permissions. For the vhost I’ve created another user and then I added it to lighttpd group.
mywebsite:lighttpd
Now, if I create other vhosts I will create new users, but if they have the same group each domain can view the files inside the other vhosts, so what can I do to block this?
Because if I change the permission on each vhost to allow only the owner(600) to see the files…I think I will have a problem with lighttpd (it can’t read the page).
If i use 640 also the other vshots owners can view all the files because they have the same group.
Could you tell me the best manner to set permissions?
Solution :
This seems to work:
- create separate user/group for each of your sites, e.g. site1:site1
- chown each site to this very user and group
- set directory permissions to rwxr-x—, and rw-r—– for files
- run lighttpd under e.g. www-data:www-data user/group
- add your site groups as www-data user’s supplementary groups
The last step allows for www-data user (and thus the lighttpd process) to access files belonging to your sites. On the other hand, user e.g. site1 can’t access other sites – that’s what you want, right?
Keep in mind, that users can still access files belonging to other sites using e.g. php scripts – as lighttpd can access any of the vhost files, so can FastCGI php script spawned by lighttpd.