mysecureshell icon indicating copy to clipboard operation
mysecureshell copied to clipboard

Published 20 hours ago verified publisher icon mysecureshell

Documentation Enhancement Request: ACL setup for multi-user Apache sites

Open davidfavor opened this issue 6 years ago • 1 comments

Over the years, I've come up with a way to accomplish this + there are problems.

Likely there's a better way. Love to hear how other people do this.

My steps using Ubuntu with the following directory structure for my LXD hosting clients...

/sites/$client/$site/{wordpress,logs,htdocs}

  1. First set a www-data ACL, so any newly created files/dirs inherit www-data in addition to creator ownership, else Apache can end up throwing 403 Forbidden errors.
setfacl -Rm d:u:www-data:rwX,u:www-data:rwX /sites/*/*/{wordpress,htdocs}

This ACL sets a default user (d:u:) + also user (u:), in case someone has already created a dir/file by the time setfacl runs.

  1. Next, setup a user. In this case, setup a user joe with access to the foo.com site + no others.
useradd --user-group -G www-data --shell=/usr/bin/mysecureshell --home=/sites/john-smith/foo.com/wordpress joe
echo joe:2maylnzBz0cm4f3t | chpasswd
setfacl -Rm d:u:joe:rwX,u:joe:rwX /sites/john-smith/foo.com/wordpress joe

a) The -G www-data group allows user joe to "see" all www-data owned files.

b) The d:u:joe ACL ensures any new files/dirs inherit joe ownership.

c) The u:joe ACL ensures any existing files/dirs inherit joe ownership.

  1. All this works well, except sometimes all setfacl ACLs seem to drop, so an additional step is required to fix this via a CRON job running every 10 minutes...
#!/bin/bash

setfacl -Rm d:u:www-data:rwX,u:www-data:rwX /sites/*/*/{wordpress,htdocs}

setfacl -Rm d:u:joe:rwX,u:joe:rwX /sites/john-smith/foo.com/wordpress joe
  1. What I mean by ACLs dropping is they change from rwX to r-x + show up as...
ACL: #effective:r-x

So the write access seems to just disappear randomly. I suspect this has something to do with how an SFTP client is interacting with MySecureShell + I've never figured it out.

Questions.

  1. Love to hear a better way to do this.

  2. Love to hear a way to do this so ACLs persist, rather than changing from rwX to r-x.

  3. Have the intelligence of this ticket rolled into the MySecureShell use cases to help other people running hosting companies.

Thanks for you considering this documentation enhancement request.

davidfavor avatar Jun 01 '18 13:06 davidfavor

About the disappearing bits, I think it is because you haven't correctly set the mask in the ACL. See http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/sles9/adminguide-sles9/ch27s03.html

rgevaert avatar Aug 02 '20 18:08 rgevaert