dumb question about users and permissions.
My question is how should I set up the permission on the files?
for instance my "/var/www/localhost/whatever" folder should have what permissions? Apache will need to be able to read the files to serve on web and each user should be able to acce4ss his files. Should the owner be apache and the group be "group1"
useradd -d /var/www/localhost/whatever -g group1 user1
inside the directory lets say my index.html file what owners should that have?
Is this correct?
index.html apache:group1 with 775 ?
I am really confused on what this should be and would appriciate help. I have read lots on forums and manuals but none clear it up for me.
With this setup your PHP scripts (assuming you're using the standard mod_php; please ignore if all your sites are static) will only be able to read from the disk, but not write or create new files. If your users have PHP scripts that need to write to the disk, you should either tell your users to chmod the appropriate files to 660/770 or use a special Apache module such as suexec or suphp.
Don't use 775 or 777 or anything of the sort unless you trust all of your users not to hack each other's sites. The last digit MUST be zero or your users will be able to view each other's files. All the popular CMS's store their DB credentials in plain text! Sure, FTP gives you a chroot, but what about PHP scripts? Sure, safemode and openbasedir can help, but those are stopgap measures and some of them will disappear in the next version. Nothing beats native UNIX permissions.
Clever users can bypass open_basedir restrictions:
This is banned
$data = file_get_contents('/path/to/another/users/file');
But this isn't
$data = shell_exec('cat /path/to/another/users/file');
This, of course, can be banned using safe_mode configuration, but who knows if there's another hole, PHP being what it is.