I’m using a shared private server, meaning we all have access to the root account for admin tasks. We hosts our websites in our respective home directories.
www-data can read/write in my ~user/www directory and I used a SGID bit on it to ensure files created by www-data belong to a group my user also belongs to.
It all works fine except some websites such as Nextcloud may write files (updates, user uploads,…) that are not group-readable/writable and then I end up with files in my home dir on which I can’t act upon (backup to a local computer, copy/transfer to another server as user, overwrite as user during a manual .tar.gz update, whatever).
I can become root, but this breaks the initial point of splitting web sites hosting in our user directories.
I know that the recommended ownership is www-data (see quote below) but is there a recommended approach to what we’re trying to achieve?
Upon further reading, I have the feeling that this should be achieved at webserver level, that is, rather than messing with file ownerships, ensure that each website (virtual host) is run under a different user, using the webserver configuration.