I remember struggling to get my head around Apache Webserver file permissions. It's a common issue, and I've seen forum posts this weekend with users struggling to get it right. That s what's prompted this post.
To allow the Apache web server process (httpd) to access and serve files from virtual host directories, httpd requires at least read access. However, with content management systems, httpd might also require write access to virtual host directories.
On Linux, the Apache web server process is normally started as the root user. This is to allow the process to bind to port 80 and 443. However, once the server has started up it switches the the user specified in httpd.conf. In CentOS, this is set to:
user = apache group = apache
This all works well if the server is only hosting website, or even multiple websites but for the same user or client. However, in a shared hosting environment where multiple customers need to have read and write access to their web directories in order to upload the websites, we need to find a configuration that will allow the httpd process read/write access to all virtual host directories as well as allow each individual client/user read/write access to their own web directory. We can be daring and just give full write to everyone with a chmod 777 command, but that would be foolish. The smarter way is actually very simple and is achieved using Unix groups. Basically, for each customer that will be uploading files to his virtualhost web directory, we create a Linux user. When the user account is created, a group will also be created with the same name as the user. With the user account in place, we give full read, write and execute rights to both the user and the group and no rights to everyone else (chmod 770). We then add the apache user to the new user's group which grants full rights to the web directory to httpd.