MJ Ray wrote:
Why does Apache need to be able to write to the files? I thought the problem was "images will be uploaded by the website admin backend as well" so I dismissed your "write to the files" statement as misleading. I thought that you wanted Apache to be able to write new files to that directory (so the directory is +t and g+w), but avoid allowing it to write to the actual files uploaded by PureFTP (so the files don't need to be g+w).
Not quite!
I want Apache to be able to upload images, and I want the user to be able to "change" (by which I mean overwrite, delete, etc) those images via FTP, and I need Apache to also be able to overwrite the files with new uploads.
What I do *not* want to do is give the Apache process write access to the files of all other FTP users at the same time.
but the way PureFTP works (with virtual FTP users) is that all files from all users have ftpuser.ftpgroup ownership, so adding Apache to ftpgroup would give Apache write access to all FTP users' files.
Surely not, as long as PureFTP isn't creating the files g+w?
If it isn't, then it needs to be in order for me to be able to allow Apache to overwrite the files!
This is back where I started: this cannot be the right way to achieve what I need but I don't know what the right way is. To repeat: I need a directory of files of one FTP user to be read/write for the FTP user *and* read/write for Apache, without making files for other FTP users accessible to Apache.
The "correct" solution would seem to be that each virtual host should run as a different user, and the FTP users should be distinct also, so that each site has an FTP user with read/write access, and an Apache user with read only access (except where write access needs to be specifically granted). I guess with suexec I could do this (but I have no experience of this and I got the impression previously that I'd have to move away from PHP Apache modules to CGI?), or suphp (which I got into a hell of a muddle with last time I tried it, but that's probably just me!).