Proper permissions for two developer team on PHP5 Apache Linux server

linux file-permissions apache-2.2 permissions php

I was hoping someone could point me in the right direction regarding Linux permissions. I understand how to calculate what permissions are, understand the methodology behind changing them and can handle the dirty work, I'm just unsure what permissions I should give for proper security.

I've been developing from root on a Linux server, with permissions set to 644 on all files (located in /var/www). As I'm taking on a new developer, I'd like to set up proper users and still be able to edit. I would not like to use version control at this time. It seems to me that by creating two new users (one for me and one for the new developer), adding us to a common dev group and changing all files group owner to that dev group, I could just chmod all files at 664 and maintain freedom to edit.

By setting the permissions as described above, are my files still (relatively) secure permissions wise?

Edit: Found a great resource here for anyone looking in the future.


You should create a group "developers" and add you and the second guy to that groups. Each user can be in many groups and each group can have many users.

And then you do a chgrp -R developers /var/www ( -R means "recursive" ) and chmod -R 664 /var/www.

Or some other configuration .. you for example might want the "apache" user to be in the same group as the users .. your choice .


If you put the group sticky bit (02775 for example) and set the group of the dir to the group that both users are in, then all new files will be created with the group of the dir, not the primary group of the user. This will make sure that all new files created will be accessible by all appropriate users, not counting umask (which you may want to change to 002 to make new files created with 664).


I like setting the sticky bit on directories where multiple people will handle the files. I generally use version control, but on /usr/local/src I will chmod 1775 /usr/local/src. This way people will not be able to delete files they did not create.

Related

What can I do with an IP address of a visitor that tried to access a shell exploit that was planted on my system?
dig: "Transfer failed."
Enable Remote Login (SSH) without GUI on a Mac
When is it appropriate to run chkdsk?
How to convert a postgres database to sqlite
RAID1 performance with madam
Vmware memory usage shows differently from linux
Are Master-Master database collisions a problem even with auto increment?
Merging two companies: Best practice?
Converting VM from XenServer to VMware
Setting up procmail to ignore auto-responders and bounces
keep command window open after running bat file