How can I allow my apache user to upload to user directory when using Apache on EC2?

I have set up an Amazon EC2 instance. By default my apache is running as user apache of the group apache.

I created new ftp user test and uploaded my f开发者_Python百科iles to /home/test/public_html. I then configured the virtual host DocumentRoot to point to my project, residing in /home/test/public_html.

When the directory is owned by user test, uploading in the project is denied: it gives a permission error. If I change the owner of the directory to apache, it works.

How can give the apache user superuser rights, to permit it to upload without changing the directory's owner?

It's always same problem. Upload with user ftp and no access for user apache.

I solved that problem using filesystems extended acls.

It's possible to put a 'default' user and/or group to new generated files.

What you have to do:

• add 'acl' to your mount options for your desired filesystem. (Please check if your kernel is configured for posix acl before doing so!)
• use command 'setfacl' to set permissions (you may need to install a package containing 'setfacl' before depending on your distribution.)

Example:

First own for user ftp so uploads can be made

# chown ftp:ftp /var/www/server/htdocs
# ls -la /var/www/server/htdocs/
insgesamt 0
drwxr-xr-x  2 ftp      ftp  40 26. Nov 12:40 .
drwxrwxrwt 15 root     root  360 26. Nov 12:40 ..

Next set default for user apache

# setfacl -d -m u:apache:rwx /var/www/server/htdocs
# setfacl -d -m g:apache:rwx /var/www/server/htdocs
# getfacl /var/www/server/htdocs
# file: /var/www/server/htdocs
# owner: ftp
# group: ftp
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:apache:rwx
default:mask::rwx
default:other::r-x

After putting files or directorys to this directory you will see that you have multiple accessrights to them. But keep in mind that those rights are only given to new files not to existing once.

# getfacl /var/www/server/htdocs/test.txt

# file: /var/www/server/htdocs/test.txt
# owner: ftp
# group: ftp
user::rw-
user:apache:rwx                 #effective:rw-
group::r-x                      #effective:r--
group:apache:rwx                #effective:rw-
mask::rw-
other::r--

When using 'ls -l' you see a '+' after the permissions to inform about acl rights:

# ls -la /var/www/server/htdocs
insgesamt 0
drwxr-xr-x+  3 ftp      ftp   80 26. Nov 12:43 .
drwxrwxrwt  15 root     root 360 26. Nov 12:40 ..
drwxrwxr-x+  2 ftp      ftp   40 26. Nov 12:43 test
-rw-rw-r--+  1 ftp      ftp    0 26. Nov 12:43 test.txt

I would at all cost avoid letting apache user have root privileges.

This would be quite a serious security issue: exactly because the server is potentially (more) vulnerable you normally make a specifc user for it (here the 'apache' user) where you can specify the privileges to only those that are really needed for the server run.

If there are problems with the Apache user not having all the right permissions you should solve them by changing the ownership of corresponding files to apache user,

chown apache:apache <filename>

or, by making them readable/writable/executable for more users, e.g. using

chmod 777 <filename>