Making Magento Files Secure Yet Easy To Access With Normal FTP
One slight problem with linux is accessing files from a windows PC with FTP. It is easy to access a user account but the /var/www/html directory may not be so easy. One trick made possible by recent versions of linux is to mount directories to themselves as filesystems, e.g., as root:
mkdir /home/magento_user/html mount --bind /var/www/html /home/magento_user/html
Now it is possible to login as magento_user and access the files in /var/www/html from the local ‘link’ in the home directory.
To make this mount available on boot, edit /etc/fstab and add:
/var/www/html /home/magento_user/html auto bind
The mount can then be tested using:
(Now the /home/magento_user/html directory is ‘empty’.)
(Now it is ‘full’ again.)
This FTP access arrangement works best if the webserver account - ‘apache’ - and the other logins, e.g. ‘magento_user’, are all in the same group, e.g. ‘apache’. To keep things working swimmingly, new files will also need to be created by default to be group read/writeable.
To make a user, e.g. ‘magento_user’ be primarily in the ‘apache’ group, as root:
usermod -g apache magento_user
To make existing web root files read/writeable for this group:
chmod -R g+w /var/www/html chgrp -R apache /var/www/html
To make newly created files group rewriteable, edit the system wide /etc/profile file and change the umask value to 002 (it probably is 022 by default, without the group write bits set). The same will have to be done for files made with FTP. If using proftp edit /etc/proftpd.conf and change the umask line from 022 to 002.
Since you may also be connecting with sftp, edit /etc/ssh/sshd_config and change the line that starts up the sftp server, commenting out the old one, just in case:
Subsystem sftp /usr/lib/openssh/sftp-server.sh'
Add in a new file /usr/lib/openssh/sftp-server.sh and make it executable:
#!/bin/bash umask 0002 /usr/libexec/openssh/sftp-server
Now restart ssh with service restart sshd.
With that in place for every user that works on the project files it should now be possible to edit, modify and delete files without y’all having to get into excessive chmoding of stuff or having to put up with people and their petty grumbles about file permissions. So there.