Security – Apache service server demon priviiges (with respect to web directory structure, permissions and security)

I have installed Apache on Ubuntu 9.10.

I have installed a web framework (Symfony), which requires the server to be able to:

1. Create a directory structure under a folder named 'cache'.
   If the cache directory does not exist, the software (presumably under the apache user
   will attempt to create the cache folder and the required sub directory structure.

   External users should not be able to access this folder – it is only required by the
   framework library itself

2. Ability to create files in a sub directory named log

   External users should not be able to access this folder – it is only required by the
   framework library itself

My /etc/apache2/sites-enabled/000-default file content is:

<VirtualHost *:80>
  ServerName testproject.localhost
  DocumentRoot "/home/morpheous/work/websites/testproject/web"
  DirectoryIndex index.php
  <Directory "/home/morpheous/work/websites/testproject/web">
    AllowOverride All
    Allow from All
  </Directory>

  Alias /sf /lib/vendor/symfony/symfony-1.3.2/data/web/sf
  <Directory "/lib/vendor/symfony/symfony-1.3.2/data/web/sf">
    AllowOverride All
    Allow from All
  </Directory>
</VirtualHost>

At the moment, when I try access this page via a browser, I get a blank page.
When I check in the error log (/var/log/apache2/error.log) I see the following error:

[Fri Feb 19 14:05:01 2010] [error] [client 127.0.0.1] PHP Fatal error:  Uncaught exception 'sfCacheException' with message 'Failed to make cache directory "/home/morpheous/work/websites/testproject/cache/frontend/dev/config" while generating cache for configuration file "config/config_handlers.yml".' ....

I am relatively new to Ubuntu (Linux in general). I have looked at the folder properties (using the sys admin GUI tool), however when I try to change the group ownership of the folder to 'www-data' (the group that the apache2 daemon user belongs to), I find that that group is not available in the list of groups that can take owner ship of the 'cache' folder.

More generally, I may have folders under my testproject directory, which I want the apache2 daemon to have access to, but not be able to be accessed directly by external users – (for example files containing the database password, or specific downloads etc), how do I explicitly manage access on folders in this way?

To my mind, it is a (rather confusing) combination of linux users/groups as well as apache configuration. I would be very grateful if someone can shed some light on

• the general problem of granting r|rw|rwx permission to the apache daemon for a specific folder, whilst prohibiting external users from accessing that folder

• the specific problem of how to fix the current problem of allowing the apache daemon to create the cache folder (if required) and any sub directories/files required and similarly, create log files in the testproject/log folder.

[Edit]

Carl: I have entered my comments to you here, since there is better formatting …

I am now getting a 493 forbidden page when I attempt to access the page in a browser. I checked the apache log files and saw this error:

[Fri Feb 19 17:23:33 2010] [crit] [client 127.0.0.1]
(13)Permission denied: /home/morpheous/work/websites/testproject/.htaccess pcfg_openfile:
unable to check htaccess file, ensure it is readable

This is the attributes for the web folder
drwxr-xr-x 16 morpheous morpheous 4096 2010-02-19 00:51 web

I suspect that the apache daemon user does not have access to the web folder, and this is what is causing the problem. In that is the case then, it means that I would have to manually change group ownership (for read|write access) to www-data for all folders that I want the apache daemon to have access to (this makes sense intuitively, but I'd just like to have it confirmed)