Making Magento Files Secure Yet Easy To Access With Normal FTP

Last modified by Discovery on Thu, June 24, 2010 15:27
Source|Old Revisions  

One slight problem with linux is accessing files from a windows PC with FTP. It is easy to access a user account but the /var/www/html directory may not be so easy. One trick made possible by recent versions of linux is to mount directories to themselves as filesystems, e.g., as root:

mkdir /home/magento_user/html

mount --bind /var/www/html /home/magento_user/html

Now it is possible to login as magento_user and access the files in /var/www/html from the local ‘link’ in the home directory.

To make this mount available on boot, edit /etc/fstab and add:

/var/www/html   /home/magento_user/html   auto    bind

The mount can then be tested using:

umount /home/magento_user/html

(Now the /home/magento_user/html directory is ‘empty’.)

mount -a

(Now it is ‘full’ again.)

This FTP access arrangement works best if the webserver account - ‘apache’ - and the other logins, e.g. ‘magento_user’, are all in the same group, e.g. ‘apache’. To keep things working swimmingly, new files will also need to be created by default to be group read/writeable.

To make a user, e.g. ‘magento_user’ be primarily in the ‘apache’ group, as root:

usermod -g apache magento_user

To make existing web root files read/writeable for this group:

chmod -R g+w /var/www/html
chgrp -R apache /var/www/html

To make newly created files group rewriteable, edit the system wide /etc/profile file and change the umask value to 002 (it probably is 022 by default, without the group write bits set). The same will have to be done for files made with FTP. If using proftp edit /etc/proftpd.conf and change the umask line from 022 to 002.

Since you may also be connecting with sftp, edit /etc/ssh/sshd_config and change the line that starts up the sftp server, commenting out the old one, just in case:

Subsystem      sftp /usr/lib/openssh/'

Add in a new file /usr/lib/openssh/ and make it executable:

umask 0002

Now restart ssh with service restart sshd.

With that in place for every user that works on the project files it should now be possible to edit, modify and delete files without y’all having to get into excessive chmoding of stuff or having to put up with people and their petty grumbles about file permissions. So there.