Originally Posted by till
Your setup is nice for websites that are not maintained by the customer, but its not a option for the majority of web hosters. So its unlikely that we will implement such a permission scheme as default as most customers that bought a webspace will report their web as broken if they run a php script and this script cant write to the web folder and also your setup disables the update functions in most cms systems. And running a joomla/wordpress/typo3/Drupal without updates is not a good idea.
You do have a good point, that the current setup is easier for customers.
I also do not have a problem telling them to chmod the folders that need to be written by apache.
Are there any changes you would accept that would allow ISPConfig admins to choose a more restricted setup vs the current setup?
Another method would be to create a 2nd user account for each site that is in the same group, then use that user account in the vhost.conf.master.
# add support for apache mpm_itk
AssignUserId <tmpl_var name='system_user'>_web <tmpl_var name='system_group'>
If the 2nd user with "_web" appended was always created, it would cause no harm by those who choose not to use it. For those of us who choose to use it we would only need to edit vhost.conf.master.
No need to chmod g+s with this approach but how to handle quotas for this additional user is a bit of an issue.