When configuring web server permissions, we need to balance security with functionality. The key requirements are:

• Web content in /var/www/html/<site> directories
• Two SSH users needing write access
• Apache running as separate user (typically apache or www-data)
• World-writable permissions must be eliminated

Here's a secure setup that meets all requirements:

# Create a new group for web administrators
sudo groupadd webadmins

# Add both users to this group
sudo usermod -a -G webadmins user1
sudo usermod -a -G webadmins user2

# Set directory structure (example for one site)
sudo mkdir -p /var/www/html/example.com
sudo chown -R user1:webadmins /var/www/html/example.com
sudo chmod -R 2775 /var/www/html/example.com

# Set Apache user as secondary group for read access
sudo usermod -a -G webadmins apache

The 2775 permission mode is crucial:

• 2: Enables the setgid bit, ensuring new files inherit the group
• 775: Owner and group get full permissions, others get read+execute

For dynamic content (like WordPress uploads), add this to your Apache config:

<Directory /var/www/html/example.com/wp-content/uploads>
    AllowOverride None
    Require all granted
    <IfModule mod_php7.c>
        php_admin_value engine Off
    </IfModule>
    <FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|sh|cgi)$">
        Require all denied
    </FilesMatch>
</Directory>

Create a maintenance script to reset permissions:

#!/bin/bash
# Reset permissions for web directory
find /var/www/html/ -type d -exec chmod 2775 {} \;
find /var/www/html/ -type f -exec chmod 664 {} \;
find /var/www/html/ -exec chown user1:webadmins {} \;

Test your configuration with:

# Check directory permissions
ls -ld /var/www/html/example.com

# Verify user group membership
groups user1
groups apache

# Test file creation as both users
sudo -u user1 touch /var/www/html/example.com/test1
sudo -u user2 touch /var/www/html/example.com/test2

When managing multiple websites under /var/www/html/ with multiple maintainers, we need to balance:

• Web server security (Apache shouldn't own files)
• Developer collaboration (multiple SSH users need write access)
• Proper file permissions (avoiding world-writable dangers)

On CentOS 5.5 systems, Apache typically runs as user apache in group apache. Here's how to verify:

# Check Apache user
ps aux | grep httpd
# Verify default group
groups apache

Here's the optimal setup for /var/www/html/site1:

# Create developer group
sudo groupadd webdevs

# Add users to group
sudo usermod -a -G webdevs user1
sudo usermod -a -G webdevs user2

# Set directory structure
sudo mkdir -p /var/www/html/site1/{public,logs,config}
sudo chown -R user1:webdevs /var/www/html/site1
sudo chmod -R 2775 /var/www/html/site1

# Set SGID to maintain group ownership
find /var/www/html/site1 -type d -exec sudo chmod g+s {} \;

# Set Apache-readable permissions
sudo chmod -R 755 /var/www/html/site1/public

For more granular control, consider ACLs:

# Install ACL support
sudo yum install acl

# Set default ACLs
sudo setfacl -Rdm g:webdevs:rwx /var/www/html/site1
sudo setfacl -Rm g:webdevs:rwx /var/www/html/site1
sudo setfacl -Rm u:apache:r-x /var/www/html/site1/public

Regularly audit permissions with:

# Check ownership
ls -la /var/www/html/

# Verify permissions
namei -l /var/www/html/site1/public/index.php

# Check ACLs
getfacl /var/www/html/site1

• Never use 777 permissions
• Restrict write access to web directories
• Regularly audit group membership
• Consider separate users for different sites