Newbie Virtual host questions

#1 (**permalink**) 01-20-2008

I have a server with shell and WebMin access.

I understand the directives in the virtual host section. What I don't
understand is how to set up ownership of the directories, I'll be
running perl scripts from a cgi-bin

/var/www/vhosts/some_domain/cgi-bin/ cgi-bin
/var/www/vhosts/some_domain/httpdocs/ web root

If someone could either give me step by step instructions (or point me
at a resource) of how to create the user and set up ownerships and
permissions I'd be very grateful. I'd like scripts to run from the
cgi-bin to have read/write access to the cgi-bin and webroot, but not
below (toward the root).

I've done a great deal of reading but I just get a snippet here and
there of how to do this, and when I put all that discombobulated
knowledge into action it's a mess!

I didn't see a more suited group, point me at one if you can't help here.

Jeff

#2 (**permalink**) 01-21-2008

"Jeff" <jeff@spam_me_not.com> wrote in message
news:13p6u38b2g5ip6f@corp.supernews.com...
> I have a server with shell and WebMin access.
>
> I understand the directives in the virtual host section. What I don't
> understand is how to set up ownership of the directories, I'll be
> running perl scripts from a cgi-bin
>
> /var/www/vhosts/some_domain/cgi-bin/ cgi-bin
> /var/www/vhosts/some_domain/httpdocs/ web root
>
> If someone could either give me step by step instructions (or point me
> at a resource) of how to create the user and set up ownerships and
> permissions I'd be very grateful. I'd like scripts to run from the
> cgi-bin to have read/write access to the cgi-bin and webroot, but not
> below (toward the root).
>
> I've done a great deal of reading but I just get a snippet here and
> there of how to do this, and when I put all that discombobulated
> knowledge into action it's a mess!
>
> I didn't see a more suited group, point me at one if you can't help
here.

Assuming unix-type OS:
Ownership: The person controlling the resources should be the owner.
Typically, they get RW or RWX access.
Group: I usually set web page directories to the group that apache runs as.
Access is typically R or RX.
Others: If apache is using group access, I set access by others to none.
Otherwise, set this as R or RX.

#3 (**permalink**) 01-21-2008

D. Stussy wrote:
> "Jeff" <jeff@spam_me_not.com> wrote in message
> news:13p6u38b2g5ip6f@corp.supernews.com...
>> I have a server with shell and WebMin access.
>>
>> I understand the directives in the virtual host section. What I don't
>> understand is how to set up ownership of the directories, I'll be
>> running perl scripts from a cgi-bin
>>
>> /var/www/vhosts/some_domain/cgi-bin/ cgi-bin
>> /var/www/vhosts/some_domain/httpdocs/ web root
>>
>> If someone could either give me step by step instructions (or point me
>> at a resource) of how to create the user and set up ownerships and
>> permissions I'd be very grateful. I'd like scripts to run from the
>> cgi-bin to have read/write access to the cgi-bin and webroot, but not
>> below (toward the root).
>>
>> I've done a great deal of reading but I just get a snippet here and
>> there of how to do this, and when I put all that discombobulated
>> knowledge into action it's a mess!
>>
>> I didn't see a more suited group, point me at one if you can't help
> here.
>
> Assuming unix-type OS:

Yes.

> Ownership: The person controlling the resources should be the owner.
> Typically, they get RW or RWX access.
> Group: I usually set web page directories to the group that apache runs as.
> Access is typically R or RX.
> Others: If apache is using group access, I set access by others to none.
> Otherwise, set this as R or RX.

Here is what I've done. I've created a user and a group:
my_domain_owner and I've done this:

chown my_domain_owner.my_domain_owner /var/www/hosts/my_domain

Then I've made apache a member of the my_domain_owner group, that seemed
to fix the script write permissions.

Is there a downside to doing it this way if I keep the cgi-bin at 755
and the document root at 644?
>
>

#4 (**permalink**) 01-21-2008

"Jeff" <jeff@spam_me_not.com> wrote in message
news:13p8l7s99rfcgf7@corp.supernews.com...
> D. Stussy wrote:
> > "Jeff" <jeff@spam_me_not.com> wrote in message
> > news:13p6u38b2g5ip6f@corp.supernews.com...
> >> I have a server with shell and WebMin access.
> >>
> >> I understand the directives in the virtual host section. What I
don't
> >> understand is how to set up ownership of the directories, I'll be
> >> running perl scripts from a cgi-bin
> >>
> >> /var/www/vhosts/some_domain/cgi-bin/ cgi-bin
> >> /var/www/vhosts/some_domain/httpdocs/ web root
> >>
> >> If someone could either give me step by step instructions (or point me
> >> at a resource) of how to create the user and set up ownerships and
> >> permissions I'd be very grateful. I'd like scripts to run from the
> >> cgi-bin to have read/write access to the cgi-bin and webroot, but not
> >> below (toward the root).
> >>
> >> I've done a great deal of reading but I just get a snippet here and
> >> there of how to do this, and when I put all that discombobulated
> >> knowledge into action it's a mess!
> >>
> >> I didn't see a more suited group, point me at one if you can't help
> > here.
> >
> > Assuming unix-type OS:
>
> Yes.
>
> > Ownership: The person controlling the resources should be the owner.
> > Typically, they get RW or RWX access.
> > Group: I usually set web page directories to the group that apache runs
as.
> > Access is typically R or RX.
> > Others: If apache is using group access, I set access by others to
none.
> > Otherwise, set this as R or RX.
>
> Here is what I've done. I've created a user and a group:
> my_domain_owner and I've done this:
>
> chown my_domain_owner.my_domain_owner /var/www/hosts/my_domain
>
> Then I've made apache a member of the my_domain_owner group, that seemed
> to fix the script write permissions.
>
> Is there a downside to doing it this way if I keep the cgi-bin at 755
> and the document root at 644?

Note that what you did is different than what I suggested:

CHOWN -R domain_owner.apache_group /var/www/....

With apache's group in use, "750" and "640" will protect the files from
OTHER USERS on your system.

#5 (**permalink**) 01-21-2008

D. Stussy wrote:
> "Jeff" <jeff@spam_me_not.com> wrote in message
> news:13p8l7s99rfcgf7@corp.supernews.com...
>> D. Stussy wrote:
>>> "Jeff" <jeff@spam_me_not.com> wrote in message
>>> news:13p6u38b2g5ip6f@corp.supernews.com...
>>>> I have a server with shell and WebMin access.
>>>>
>>>> I understand the directives in the virtual host section. What I
> don't
>>>> understand is how to set up ownership of the directories, I'll be
>>>> running perl scripts from a cgi-bin
>>>>
>>>> /var/www/vhosts/some_domain/cgi-bin/ cgi-bin
>>>> /var/www/vhosts/some_domain/httpdocs/ web root
>>>>
>>>> If someone could either give me step by step instructions (or point me
>>>> at a resource) of how to create the user and set up ownerships and
>>>> permissions I'd be very grateful. I'd like scripts to run from the
>>>> cgi-bin to have read/write access to the cgi-bin and webroot, but not
>>>> below (toward the root).
>>>>
>>>> I've done a great deal of reading but I just get a snippet here and
>>>> there of how to do this, and when I put all that discombobulated
>>>> knowledge into action it's a mess!
>>>>
>>>> I didn't see a more suited group, point me at one if you can't help
>>> here.
>>>
>>> Assuming unix-type OS:
>> Yes.
>>
>>> Ownership: The person controlling the resources should be the owner.
>>> Typically, they get RW or RWX access.
>>> Group: I usually set web page directories to the group that apache runs
> as.
>>> Access is typically R or RX.
>>> Others: If apache is using group access, I set access by others to
> none.
>>> Otherwise, set this as R or RX.
>> Here is what I've done. I've created a user and a group:
>> my_domain_owner and I've done this:
>>
>> chown my_domain_owner.my_domain_owner /var/www/hosts/my_domain
>>
>> Then I've made apache a member of the my_domain_owner group, that seemed
>> to fix the script write permissions.
>>
>> Is there a downside to doing it this way if I keep the cgi-bin at 755
>> and the document root at 644?
>
> Note that what you did is different than what I suggested:
>
> CHOWN -R domain_owner.apache_group /var/www/....

This is the first thing that's made sense to me!

If I FTP a file, I take it that file will be owned by the user. What
group will it belong to? Will it be Apache?

If I use a script to write a file, will that file then be in the
Apache group but owned by the domain owner?

I'm thinking that the way you suggest will get rid of all this making
users part of group nonsense to get the scripts to write.

I think I'll set up a new virtual domain and give it a whirl.

Jeff

>
> With apache's group in use, "750" and "640" will protect the files from
> OTHER USERS on your system.
>
>

#6 (**permalink**) 01-22-2008

"Jeff" <jeff@spam_me_not.com> wrote in message
news:13pab8u2r6mjhb5@corp.supernews.com...
> D. Stussy wrote:
> > "Jeff" <jeff@spam_me_not.com> wrote in message
> >> ....
> > Note that what you did is different than what I suggested:
> >
> > CHOWN -R domain_owner.apache_group /var/www/....
>
> This is the first thing that's made sense to me!
>
> If I FTP a file, I take it that file will be owned by the user. What
> group will it belong to? Will it be Apache?

Most likely, the user's group - unless the directory is set g+s (on systems
that support forcing the group ownership).

> If I use a script to write a file, will that file then be in the
> Apache group but owned by the domain owner?

That's how you will need to set it so that apache can run it (with g+x).

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode