linux - On the web server who should 'own' the site files? -
i've been working sites , servers (lamp) years set me either through shared hosting environments or admins of varying degrees of competence.
the question have best practice setting production server.
for example, 99% of time i've worked on server generic username 'siteproduction' , logged in user, made changes (push pull etc.) user.
but more i've worked clients insist on providing individual usernames end 'myname' login. of course of study creates problems when trying modify actual site files. end doing getting password owner of site files , doing 'su' user.
tl/dr: what's best practice providing access servers while facilitating changes site files?
best practices file ownership beneath server , document root has less actual file ownership , more file permissions. there have 2 categories of file permissions, (1) pages served display world readable, , (2) inter-workings of site (css, js, mysql connect, etc..) not world readable readable web server grouping (whether www, http, or whatever on distribution). general rule can think of world readable files having octal permissions of 0644 (or 0664 need writable server itself), directories holding documents serve display beingness 0755, while files server utilize having permission of 0640 or 0660.
as far actual file ownership concerned, there no 1 magic user should own files. best practices, ownership of files should 'consistent' , owned regular user instead of root. files need written server need have grouping ownership owned webserver gid. (yes can create new separate user own files, no shell access, on balance, gain little doing way.)
why ownership web files not pivotal? real file/directory access mechanism webserver config. lamp, means apache httpd.conf (and includes) along .htaccess files. best practices require directory access command provided on per-directory basis within httpd.conf structure. (.htaccess files fine, broad utilize discouraged due inefficiencies involved handling numerous nested .htaccess files) in reality, not every directory needs per-directory config, if there new or differing requirements web-server directory, per-directory config warranted.
bottom-line. if set , stick consistent file ownership , permission site outset, admin distractions reduced. take user own site files , consistent, 1 provide write access server files required, , set sane per-directory access configurations , fine.
this isn't copied out of book or howto, comes 15 years of self-adminning production servers in both business , personal environments. know httpd.conf setup (more "i can create work") , find there few setup issues can't solve, or know solve, yourself)
linux lamp
No comments:
Post a Comment