Should shared account user and apache php process user be the same in a shared server?

Question

I have a shared server for PHP and the user account under which the Apache webserver is running is nobody and the user for my ftp and cpanel is different lets say jokertec.

Now when my webserver creates any folder I have problems renaming/deleting/modifying that folder using cpanel and when my cpanel creates any folder the webserver has problems doing the same. This is due to the owners of both the folders being different I think.

What I want to ask is that Is this some kind of server misconfiguration and both the user under which apache runs and the cpanel username should be same? Or I am missing something here? As I think we cannot change the user under which php runs for creating folders dynamically.

Answer 1

This is a common problem and there's a few solutions. The one we've employed is making the primary group of the non-apache users, who need to access the files, (actually just 1 user, in our case) the same group as Apache - www-data in our case.

This means that files created by Apache and the user are both created with the www-data group and both has access to them.

The permissions that a file is created with is controlled by the umask on Linux. If your current umask does not allow group write to newly created files you can change it ala http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

Security is always a concern here, though if your users only have access to their own chrooted FTP account (I believe this is the default with a cpanel setup) you needn't worry. If they have SSH access, you may be concerned that all users can access the web files of other users. This is a fairly null concern given that the same behavior can usually be achieved with some code run through Apache on shared hosting environments.

Answer 2

This is a common problem on shared servers where no suExec or the like is used. What I did is I used ftp to connect to localhost and create at least the directories, if not the files. I might be able to create a separate ftp user that will have access only to the directory you need. Password must be stored, sure.