Apple Support Communities > Servers and Enterprise Software > Mac OS X Server v10.4 and earlier > Discussions
This discussion is archived
4948 Views 3 Replies Latest reply: Feb 8, 2008 9:14 PM by MrHoffman
Currently Being ModeratedFeb 8, 2008 4:49 PM (in response to coreyammons)Basically, you want the files in the web directory owned and protected such that the web server cannot write to the directories, nor create or modify the files. This can be via file ownership, and with an appropriate protection mask or ACL.
The client access into the directories is certainly important, and so is keeping the web server from writing where it should not. And the web server should not be able to write anywhere outside of a few specific subdirectories, if anywhere.
You might pick -rw-r--r-- with root:www ownership for the files and directories, for instance. This would be akin to chmod u=rw,go=r (or mayhap chmod u=rwx,go=r) and chown root:www, or some such. It's also easily feasible to add www to an ACL, and allow it only specific read access. (I'm using the shell here, and not WGM.)
I prefer to use sftp to upload the files into the web server directory, or (more commonly) to use a web content management system (CMS). If you're on an entirely protected and trusted and carefully secured LAN and completely behind a well-managed firewall with no possibility of any network sniffing nor of any remote in-bound access of any sort through the firewall (including ftp blocks), you might grudgingly consider ftp. Typical web design tools such as DreamWeaver are already set up to perform sftp (and ftp) file uploads.
I'd think that you could set up the web directories as a sharepoint and export them, but it would not be my first choice.Mac OS X (10.4.10)
Thanks, that helps me understand it much better. The problem however is that my client is not going to want to use the terminal and would much prefer to use the WGM, so if Owner:AdminUser, Group:www, and Everyone:no access the server should be OK.
Then could the designer use an sftp program with a nice GUI such as Cyberduck to upload the new files? (I am unsure what app they use to edit the site) If they use the sftp protocol the folder would not need FTP services set on it as long as Remote Login is setup correct?MacBook Pro 2.4GHZ, Mac OS X (10.5), 4GB RAM
Currently Being ModeratedFeb 8, 2008 9:14 PM (in response to coreyammons)The login that is used on the web server host for the file transfer is key here, and less so the login tool itself. (ftp has its own raft of issues, but they're separate.)
The web server should have no write access to the files, while the user uploading the files needs to use a login on the web server host that has write access to these directories, or otherwise has to have a way to perform the transfer securely. (Droplet, etc.)
Some folks will use sudo and root-level (um, Administrator access) to gain "big hammer" write access to copy the files into the web server directories, while others will set up ACLs that allow the upload login (write) access to the files and directories. Or some can use submission tools (droplets, or whatever) that override and transfer the files.
You could have an area that used cron or launchd, and the periodic job transfered the files over and set the protections. There are any number of ways to do this.
I'd probably work to avoid having a client rummaging around in WGM, and would look to automate some or all of the upload sequence. This because manual steps (eg: chmod, chown, etc) can get forgotten, and Internet-connected web servers can be an unforgiving place. You can get hacked, or you can end up with overly-restrictive protections that deny access.
Most web editors include the ability to upload files. iWeb doesn't appear to be able to do this, however. Just writing its output to a folder, which can then be transfered. DreamWeaver has network file upload (and download, and synchronization) capabilities.
This effort was reduced locally, through the installation of a web content management system (cms). Once you get the CMS loaded and running, the clients can concentrate on providing the content, and far less with having to deal with these file uploads and such. Some yes, but less.Mac OS X (10.4.10)