System administration of web applications (Apache with PHP)

I have a custom written web application running on the traditional LAMP stack (P being PHP in this example).

Option 1) I could just chown all the PHP files over to the apache user/group, place the files in htdocs, and run the app like that.

Option 2) I was thinking of creating a separate user with no login shell, though, that would own all the PHP files. Then I would add group ownership of the files to apache and store the PHP files in the users home directory. PHP would still be running as the apache user.

This would allow me to su over to that account to edit the files as the application user, and connect to the MySQL DB without specifying the user/password on the command line as well.

I was thinking this might keep it more organized if I were to add more applications in the future.

Is there a best practice for this? Are there any disadvantages to using the separate user technique (second option)?

2 Replies

There are certainly any number of ways to organize things, but I don't know if there is truly a best practice (my own practices have tended toward expedience rather than maintainability).

One problem with the separate user approach is that when you add new files as that user, the group ownership and permissions are likely to make them inaccessible to Apache. You can overcome the ownership problem with the setgid bit and the permissions problem by changing the umask for the user.

I did actually decide to do this by creating a new user.

I created a new user and changed the password hash to start with a ! to disable login. This way I can still su to the account (which I could not if I used sbin/nologin) as root, although I can not su over as a normal user because the password will never be accepted.

I set the umask to the appropriate setting in the new account's profile. Then I changed the primary group on that account to be apache.

Finally, I changed the webserver folder so that it is owned by the application account, and apache only has group read but not write access. I was reading on the Drupal website that this is the appropriate way to setup the www tree anyway.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct