Create a new user

Create a new user for the web root, this example will use the user 'fred'. Lock his password using:

passwd -l fred

Permissions

Fred needs full access to his files, apache needs read access to the web root (and execute for directories of course), and everybody else needs diddly squat. NOTE: Apache will also need execute access for Fred's home dir as it tends to use stat to work out its path (apparently).

If you su'ed to Fred before creating the webroot, it should already belong to him and have the correct default permissions for himself. Set up the other permissions using the chmod and chgrp commands:

chgrp apache /home/fred/
chmod 0710 /home/fred
chgrp apache /home/fred/www.testsite.com
chmod 0750 /home/fred/www.testsite.com

You should also set the web root directory to be setgid, ensuring all files created in there will belong to apache, thus reducing the user's temptation to give the world read (and usually write) access to their valuable secret proprietary perl scripts.

chmod 2750 /home/fred/www.testsite.com

Creating the Directory

We now place logfiles in a seperate location, and symlink them into the user's home dir. We'll need to make a directory to put the logs in. For this example, we'll use /var/log/httpd/wwwlogs/fred.

Permissions

Incorrect log dir permissions can open Apache up to a denial of service attack, and as the logs are created and written to by an Apache process running as root, lots of other nasty attacks. The user should have only READ access to the directory:

chown root.fred /var/log/httpd/wwwlogs/fred
chmod 0750 /var/log/httpd/wwwlogs/fred

Configuring the VirtualHost

Set up the apache VirtualHost directive in the httpd.conf, for example:

<VirtualHost>
ServerAdmin fred@testsite.com
DocumentRoot /home/fred/www.testsite.com
ServerName www.testsite.com
ErrorLog /var/log/httpd/wwwlogs/fred/wwwerror.log
CustomLog /var/log/httpd/wwwlogs/fred/www.testsite.com.log combined
</VirtualHost>