====== MapScript Filesystem Hierarchy and Permissions ======

Deploying an [[http://www.maptools.org/php_mapscript/|MapScript]] application (e.g. [[http://www.pmapper.net/index.shtml|pMapper]]) paying attention to correct ownerships and permissions is not so straightforward as we can expect.

Here are some of the concerns we faced:

  * MapScript needs to write temporary map images as the Apache user
  * The web application (pMapper) may need to write temporary files too
  * .map files can contains credentials to access PostGIS databases, so they should not be world-readable
  * Webmaster should not have root privileges

Our solution requires:

  - Create a **mapfiles group**; the Apache user and people writing .map files should belong to this group. Every .map file is readable by this group, but not world readable.
  - Create a **webmasters group**; all the people writing web and php pages should belong to this group only.
  - Files created by the Apache user are stored in **directory www-data**, which is a subfolder of the DocumentRoot. Webmasters do not require write access to this directory, so it is keept outside the web application directory.
  - A **symbolic link** is required to move the //legend// directory (Apache writable) outside the webmaster writable tree.
  - The **.map files** are keept outside the DocumentRoot for increased privacy, they are not world readable.

Supposed that Apache runs as the ''www-data'' user, our webmaster's name is Walter and that Walter should manage both web pages and map files, we execute:

<code>
addgroup webmasters
adduser walter webmasters

addgroup mapfiles
adduser walter mapfiles
adduser www-data mapfiles
</code>

The following is the schema of the filesystem hierachy with ownership and permissions. Where not declared, ownership and permissions are inherited from the parent folder.

<file>
DocumentRoot
   |
   |---- pmapper/
   |      Owner:     user.webmasters
   |      Directory: drwxrwsr-x (2775)
   |      File:      -rw-rw-r-- (0664)
   |        |
   |        \ images/legend -> ../../www-data/legend
   |
   \---- www-data/
          Owner:     root.www-data
          Directory: drwxrwsr-x (2775)
          File:      -rw-rw-r-- (0664)
            |
            |---- tmp
            |      Temporary map images created by
            |      MapScript and removed by a cronjob
            |
            \---- legend
                   Temporary files from pMapper


/var/lib/mapscript/
 Owner:     root.mapfiles
 Directory: drwxrws--- (2770)
   |
   \---- www.dominio.it/
          Owner:     root.mapfiles
          Directory: drwxrws--- (2770)
          Contains .map files
            |
            \---- file.map
                   Owner: utente.mapfiles
                   File:  -rw-r----- (0640)
</file>