Centos - Deploy Web Application - What is the best way using non-apache User Account with SFTP/WinSCP
I have a simple question, however, I am struggling to understand how to do this in a secure manner,
I have a PHP-based web application that runs on Linux (Centos7), I have "user" access with Sudo privilege on the Linux server.
The web server (Apache) runs as an "apache" user with an "apache" group,
The problem is when I try to deploy applications using WinSCP, I get permission denied errors, the ONLY way I can solve this problem is to do a
usermod -g apache myusername
chmod 775 /var/www/html
I don't want to give 775 to the entire web folder, I think it's a big security issue, What is the most secure way to archive this type of task?
How can I deploy my app using Winscp with my user account but AS apache user? or any other suggestions on common industry practice that is considered safe?
Solution 1:
There are multiple recommended ways to solve this issue.
- Add write access on
/var/www/htmlto the user who logins through WinSCP/SFTP. This can be done in multiple ways.- Changing the group to the running user (and grant write access)
Note: This works because there is always a unix group created for users.sudo chgrp <user> /var/www/html sudo chmod g+w -R /var/www/html - Creating a new unix group containing both apache and the user (and grant write access)
sudo groupadd <groupname> sudo chgrp <groupname> /var/www/html sudo chmod g+w -R /var/www/html
- Changing the group to the running user (and grant write access)
- Run the apache service as the user login in through WinSCP/SFTP. (link)
- Move apache document root from
/var/www/html(Simply by creating a symlink from /var/www/html to a directory owned by deployment user or by updating the apache configuration)