On Wed, Oct 18, 2006 at 01:54:58PM +0200, Sébastien Prud''homme
wrote:> - The $HOME of each user is in 770 mode so that only the user has
> access or other users in the right initial group have access.
>
> Now my problem: Apache need to have access to $HOME/public_html, so i
> need to put the "apache" user in each inital group of my users.
Let''s break your problem into two parts:
a) Apache needs access to $HOME/public_html
b) I need to put the apache user in each initial group of my users
If you want a working webserver for your users, then (a) is definitely true.
However, (b) does not follow from (a) -- in fact, the setup you''ve got
is
quite insecure -- what you''re effectively doing is allowing anything
that
runs as your webserver (such PHP scripts, CGI scripts, and the server
itself) write access to all of your users'' home directories. Not real
wonderful in the event of any sort of compromise (can we say "site
defacement", or "malware insertion"?).
The *real* solution to your problem is to make your users'' home
directories
0771, make their public_html directories (and everything below that) at
least 0755/0644, and keep apache right the way out of your users''
groups.
The solution to the general problem is probably to have a separate exec
statement with your user creation that runs a command to add the common user
to the new user''s group, predicated on the group not already being
listed in
the output of "/usr/bin/id $common_user". I use a define to do
something
fairly similar to this (it''s actually to add the new user to a bunch of
auxiliary groups and other related things, but the principle''s the
same).
- Matt