I’m using a shared private server, meaning we all have access to the root account for admin tasks. We hosts our websites in our respective home directories.
www-data can read/write in my ~user/www directory and I used a SGID bit on it to ensure files created by www-data belong to a group my user also belongs to.
It all works fine except some websites such as Nextcloud may write files (updates, user uploads,…) that are not group-readable/writable and then I end up with files in my home dir on which I can’t act upon (backup to a local computer, copy/transfer to another server as user, overwrite as user during a manual .tar.gz update, whatever).
I can become root, but this breaks the initial point of splitting web sites hosting in our user directories.
I know that the recommended ownership is www-data (see quote below) but is there a recommended approach to what we’re trying to achieve?
Upon further reading, I have the feeling that this should be achieved at webserver level, that is, rather than messing with file ownerships, ensure that each website (virtual host) is run under a different user, using the webserver configuration.
// Prevent others not to read the config
chmod($this->configFilePath, 0640);
I chmodded to 0660 and could login again.
Changing the line to
// Prevent others not to read the config
chmod($this->configFilePath, 0660);
would still prevent the file from being read by others while allowing www-data to write it even when the CLI update is performed by another user of the group.
Would that make sense?
Should I open an issue, or even a PR?
Note: I’m new to ACL and still figuring things out. I thought it would be a silver bullet but then realized that chmod overrides the ACL (rationale here). Maybe this is not the way to go, after all Thoughts welcome.