Attempting to expand on @Zoredache's answer, as I give this a go myself:
Create a new group (www-pub) and add the users to that group
groupadd www-pub
usermod -a -G www-pub usera ## must use -a to append to existing groups
usermod -a -G www-pub userb
groups usera ## display groups for user
Change the ownership of everything under /var/www to root:www-pub
chown -R root:www-pub /var/www ## -R for recursive
Change the permissions of all the folders to 2775
chmod 2775 /var/www ## 2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data user)
Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other options are SETUID (4) to copy the user id, and STICKY (1) which I think lets only the owner delete files.
There's a -R recursive option, but that won't discriminate between files and folders, so you have to use find, like so:
find /var/www -type d -exec chmod 2775 {} +
Change all the files to 0664
find /var/www -type f -exec chmod 0664 {} +
Change the umask for your users to 0002
The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by one user will be writable by other users in the www-group without needing to chmod them.
Test all this by creating a file and directory and verifying the owner, group and permissions with ls -l.
Note: You'll need to logout/in for changes to your groups to take effect!
Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Best Answer
Put a restricted and immutable directory between the outside world and the protected files, e.g.
or
/home/joe/restricted/public_html.Restricted means that only the user and perhaps the web server can read it (e.g. modes
0700/0750or some ACLs).Immutability can be done with
chattr +ior by changing the ownership to something likeroot:joe.An easy way to create that hierarchy on Ubuntu would be to edit
/etc/adduser.confand setGROUPHOMEStoyes.