Information about linux permissions

Posted on

Problem :

I have created a user and a group named the same (lighttpd:lighttpd)

Now I have to start the lighy server with these user:group… ok

Now, I have added a website (vhost) to run with lighy, it works well, but I have a question about permissions. For the vhost I’ve created another user and then I added it to lighttpd group.


Now, if I create other vhosts I will create new users, but if they have the same group each domain can view the files inside the other vhosts, so what can I do to block this?

Because if I change the permission on each vhost to allow only the owner(600) to see the files…I think I will have a problem with lighttpd (it can’t read the page).

If i use 640 also the other vshots owners can view all the files because they have the same group.

Could you tell me the best manner to set permissions?

Solution :

This seems to work:

  • create separate user/group for each of your sites, e.g. site1:site1
  • chown each site to this very user and group
  • set directory permissions to rwxr-x—, and rw-r—– for files
  • run lighttpd under e.g. www-data:www-data user/group
  • add your site groups as www-data user’s supplementary groups

The last step allows for www-data user (and thus the lighttpd process) to access files belonging to your sites. On the other hand, user e.g. site1 can’t access other sites – that’s what you want, right?

Keep in mind, that users can still access files belonging to other sites using e.g. php scripts – as lighttpd can access any of the vhost files, so can FastCGI php script spawned by lighttpd.

Leave a Reply

Your email address will not be published. Required fields are marked *