Score:2

Centos - Deploy Web Application - What is the best way using non-apache User Account with SFTP/WinSCP

cn flag

I have a simple question, however, I am struggling to understand how to do this in a secure manner,

I have a PHP-based web application that runs on Linux (Centos7), I have "user" access with Sudo privilege on the Linux server.

The web server (Apache) runs as an "apache" user with an "apache" group,

The problem is when I try to deploy applications using WinSCP, I get permission denied errors, the ONLY way I can solve this problem is to do a

usermod -g apache myusername
chmod 775 /var/www/html

I don't want to give 775 to the entire web folder, I think it's a big security issue, What is the most secure way to archive this type of task?

How can I deploy my app using Winscp with my user account but AS apache user? or any other suggestions on common industry practice that is considered safe?

Score:1
no flag

There are multiple recommended ways to solve this issue.

  1. Add write access on /var/www/html to the user who logins through WinSCP/SFTP. This can be done in multiple ways.
    • Changing the group to the running user (and grant write access)
      sudo chgrp <user> /var/www/html
      sudo chmod g+w -R /var/www/html
      
      Note: This works because there is always a unix group created for users.
    • Creating a new unix group containing both apache and the user (and grant write access)
      sudo groupadd <groupname>
      sudo chgrp <groupname> /var/www/html
      sudo chmod g+w -R /var/www/html
      
  2. Run the apache service as the user login in through WinSCP/SFTP. (link)
  3. Move apache document root from /var/www/html (Simply by creating a symlink from /var/www/html to a directory owned by deployment user or by updating the apache configuration)
Falstone avatar
us flag
I use method 1 in this scenario which works well.
mahen3d avatar
cn flag
@sreeraj can you explain this no:1 options bit more with screenshots on how to change to the running group?
no flag
@mahen3d Added more details are you mentioned.
Falstone avatar
us flag
I will add this as a comment rather than a separate answer, because I think Sreeraj deserves the bounty for his quite full answer. You have raised concerns about security. So building on bullet 1 of the answer you could reverse the ownership to give you a little more security. Assuming your WinSCP user is called 'fred' First: chown -R fred:apache /var/www/html Then: chmod 750 /var/www/html That limits the apache user's permissions. There might be the odd file in the directory that apache needs to write to, but that could have its permissions set on an individual file basis.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.