MapScript Filesystem Hierarchy and Permissions

Deploying an MapScript application (e.g. pMapper) paying attention to correct ownerships and permissions is not so straightforward as we can expect.

Here are some of the concerns we faced:

MapScript needs to write temporary map images as the Apache user
The web application (pMapper) may need to write temporary files too
.map files can contains credentials to access PostGIS databases, so they should not be world-readable
Webmaster should not have root privileges

Our solution requires:

Create a mapfiles group; the Apache user and people writing .map files should belong to this group. Every .map file is readable by this group, but not world readable.
Create a webmasters group; all the people writing web and php pages should belong to this group only.
Files created by the Apache user are stored in directory www-data, which is a subfolder of the DocumentRoot. Webmasters do not require write access to this directory, so it is keept outside the web application directory.
A symbolic link is required to move the legend directory (Apache writable) outside the webmaster writable tree.
The .map files are keept outside the DocumentRoot for increased privacy, they are not world readable.

Supposed that Apache runs as the www-data user, our webmaster's name is Walter and that Walter should manage both web pages and map files, we execute:

addgroup webmasters
adduser walter webmasters

addgroup mapfiles
adduser walter mapfiles
adduser www-data mapfiles

The following is the schema of the filesystem hierachy with ownership and permissions. Where not declared, ownership and permissions are inherited from the parent folder.

DocumentRoot
   |
   |---- pmapper/
   |      Owner:     user.webmasters
   |      Directory: drwxrwsr-x (2775)
   |      File:      -rw-rw-r-- (0664)
   |        |
   |        \ images/legend -> ../../www-data/legend
   |
   \---- www-data/
          Owner:     root.www-data
          Directory: drwxrwsr-x (2775)
          File:      -rw-rw-r-- (0664)
            |
            |---- tmp
            |      Temporary map images created by
            |      MapScript and removed by a cronjob
            |
            \---- legend
                   Temporary files from pMapper


/var/lib/mapscript/
 Owner:     root.mapfiles
 Directory: drwxrws--- (2770)
   |
   \---- www.dominio.it/
          Owner:     root.mapfiles
          Directory: drwxrws--- (2770)
          Contains .map files
            |
            \---- file.map
                   Owner: utente.mapfiles
                   File:  -rw-r----- (0640)