jump to navigation

Setting up developer permissions on apache February 26, 2010

Posted by maxmil in : Apache,Debian , trackback

I’m administrating a small server that hosts various web sites on an apache. Each web site has a group of developers who update their sites via ssh or sftp.

I needed to set up their permissions so that only the developers of each site and the apache user (www-data) could modify their sites files.

Each site is in a different sub directory of /var/www.

Initially, for each site, i created a group, put the developers of the site and the apache user in this group and gave the owner and group read and write permission on all the files.

This worked fine until a developer added files to the site since the new files were created with the developers principal group which meant the other developers could not edit the file.

Since each developer can be working on more than one site i could not just change the developers group.

However chmod g+s came to my rescue. This forces the all files created in each site to have the same group as the top level directory of the site.

Great.

However i still had a problem. The default umask for the developers that connected to the server was 022 which meant that even though the new files they created had the correct group the group only had read access to the files :(

With ssh connections changing the default umask was easy. I could do it in /etc/profile for the whole system or in ~/.profile for each user.

However when they connected via sftp this had no effect.

I think that the correct way to set up the default umask is using pam but after trying all sorts of configurations i couldn’t get it to work.

In the end the solution was to modify the line in /etc/ssh/sshd_config that started the stfp server.

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp /opt/sftp-server-wrapper.sh

and create a wrapper script /opt/sftp-server-wrapper.sh

umask 0002
exec /usr/lib/openssh/sftp-server

Don’t forget to add execution permissions to the wrapper script, otherwise sftp just fails silently!

This works but if anyone out there has a cleaner solution i would be very happy to hear it!

Comments»

no comments yet - be the first?