# Best practices to deal with multiple users on Apache and Pure-FTP



## wisdown (Sep 13, 2015)

Hey guys, whats the best way to setup apache24 for multiple users?

My goal:

Enable WebDav with 3 groups:

Private (Only domain owner access)
Group (Domain owner set a group for share documents between other people)
Public (Global access by WebDav - like public ftp)
Enable Pure-FTP (using virtual users)
Enable SSH access for site owners (using chroot for webmasters install private dependencies)

Since I have this automatic on my control panel on linux, now I am trying learn how do it manually on FreeBSD, so I am lost on begin with novice questions, how setup the correct permissions on directory structure?

Using `adduser -D` and set the home directory for /usr/local/www/clients/client1 what I should use for shell:

`/bin/sh`
or
`/usr/sbin/nologin`


The goal is let webmasters able to login and install desired stuff on his chroot enviroment by ssh, for example, instead I enable all perl and php modules, I will enable the basic with harded values  for get WordPress working, then if the client need some custom module for enable like mail/horde-webmail for example, he would log on using ssh and install it for his environment only.
Or this is not possible and I need install everything?

Client Structure:

`mkdir -p /usr/local/www/clients`

Domain sites structure:

`mkdir -p /usr/local/www/clients/client1/web1/log
mkdir -p /usr/local/www/clients/client1/web1/private
mkdir -p /usr/local/www/clients/client1/web1/ssl
mkdir -p /usr/local/www/clients/client1/web1/tmp
mkdir -p /usr/local/www/clients/client1/web1/web
mkdir -p /usr/local/www/clients/client1/web1/webdav/private
mkdir -p /usr/local/www/clients/client1/web1/webdav/group
mkdir -p /usr/local/www/clients/client1/web1/webdav/public
mkdir -p /usr/local/www/clients/client1/web2/log
mkdir -p /usr/local/www/clients/client1/web2/private
mkdir -p /usr/local/www/clients/client1/web2/ssl
mkdir -p /usr/local/www/clients/client1/web2/tmp
mkdir -p /usr/local/www/clients/client1/web2/web
mkdir -p /usr/local/www/clients/client1/web2/webdav/private
mkdir -p /usr/local/www/clients/client1/web2/webdav/group
mkdir -p /usr/local/www/clients/client1/web2/webdav/public`


Notes:
client1 = For the first client on database
web1 = First domain of the client
web2 = Second domain of the client
log = For setup local logs of the client
private = For store no shareable stuff like private keys, etc..
ssl = Public keys
tmp = For setup local tmp files
web = store website files
webdav = For WebDAV acess


Setting permissions:

`chown web1:client1 /usr/local/www/clients/client1/web1/log
chown web1:client1 /usr/local/www/clients/client1/web1/private
chown web1:client1 /usr/local/www/clients/client1/web1/ssl
chown web1:client1 /usr/local/www/clients/client1/web1/tmp
chown web1:client1 /usr/local/www/clients/client1/web1/web
chown web1:client1 /usr/local/www/clients/client1/web1/webdav/private
chown web1:client1 /usr/local/www/clients/client1/web1/webdav/group
chown web1:client1 /usr/local/www/clients/client1/web1/webdav/public
chown web2:client1 /usr/local/www/clients/client1/web2/log
chown web2:client1 /usr/local/www/clients/client1/web2/private
chown web2:client1 /usr/local/www/clients/client1/web2/ssl
chown web2:client1 /usr/local/www/clients/client1/web2/tmp
chown web2:client1 /usr/local/www/clients/client1/web2/web
chown web2:client1 /usr/local/www/clients/client1/web2/webdav/private
chown web2:client1 /usr/local/www/clients/client1/web2/webdav/group
chown web2:client1 /usr/local/www/clients/client1/web2/webdav/public
chmod 0660 /usr/local/www/clients/client1/web1/log
chmod 0600 /usr/local/www/clients/client1/web1/private
chmod 0664 /usr/local/www/clients/client1/web1/ssl
chmod 0770 /usr/local/www/clients/client1/web1/tmp
chmod 0750 /usr/local/www/clients/client1/web1/web
chmod 0700 /usr/local/www/clients/client1/web1/webdav/private
chmod 0660 /usr/local/www/clients/client1/web1/webdav/group
chmod 0664 /usr/local/www/clients/client1/web1/webdav/public
chmod 0660 /usr/local/www/clients/client1/web2/log
chmod 0600 /usr/local/www/clients/client1/web2/private
chmod 0664 /usr/local/www/clients/client1/web2/ssl
chmod 0770 /usr/local/www/clients/client1/web2/tmp
chmod 0750 /usr/local/www/clients/client1/web2/web
chmod 0700 /usr/local/www/clients/client1/web2/webdav/private
chmod 0660 /usr/local/www/clients/client1/web2/webdav/group
chmod 0664 /usr/local/www/clients/client1/web2/webdav/public`


On linux the apache files are on /var/www on FreeBSD if I understood right, are on /usr/local/www there any difference from security view?

Should I make an dedicated dataset for /usr/local/www?

My current control pannel use suExec, after read about it I have choose no use it, then from options I have read about I will need use suPHP, this is the mostly secure option avaliable?


Sorry for the noob questions, after get the directory structure adapted for FreeBSD, I will start test how to setup the things and later try convert the pannel for FreeBSD if possible.


----------

