System administration of web applications (Apache with PHP)
Option 1) I could just chown all the PHP files over to the apache user/group, place the files in htdocs, and run the app like that.
Option 2) I was thinking of creating a separate user with no login shell, though, that would own all the PHP files. Then I would add group ownership of the files to apache and store the PHP files in the users home directory. PHP would still be running as the apache user.
This would allow me to su over to that account to edit the files as the application user, and connect to the MySQL DB without specifying the user/password on the command line as well.
I was thinking this might keep it more organized if I were to add more applications in the future.
Is there a best practice for this? Are there any disadvantages to using the separate user technique (second option)?
One problem with the separate user approach is that when you add new files as that user, the group ownership and permissions are likely to make them inaccessible to Apache. You can overcome the ownership problem with the
setgid bit umask
I created a new user and changed the password hash to start with a ! to disable login. This way I can still su to the account (which I could not if I used sbin/nologin) as root, although I can not su over as a normal user because the password will never be accepted.
I set the umask to the appropriate setting in the new account's profile. Then I changed the primary group on that account to be apache.
Finally, I changed the webserver folder so that it is owned by the application account, and apache only has group read but not write access. I was reading on the Drupal website that this is the appropriate way to setup the www tree anyway.