I have a question about the right approach for /var/www/somesite folder permissions.
The story is like this.
I have 5 developers, I put them all as members of devteam group
I have the website folder /var/www/mywebsite and I know that /var/www/mywebsite/info folder rquires apache to write into it. I'm using ACLs because I believe that's the best approach to control what I'm looking for.
So... I configured the whole thing like this:
The structure:
joel#server:$ ls -la /var | grep www
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 www
joel#server:$
joel#server:$ ls -la /var/www
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 .
drwxr-xr-x 15 root root 4096 Jul 11 14:37 ..
dr-xrwsr--+ 16 www-data www-data 4096 Jul 12 06:49 mywebsite
joel#server:$
You can see that setgid is set on mywebsite so that it'll make all executables to run with the privileges of the group
for /var/www
joel#server:~$ sudo getfacl -p /var/www
# file: /var/www
# owner: www-data
# group: www-data
user::rwx
user:www-data:r-x
group::r-x
group:www-data:rwx
group:devteam:rwx
mask::rwx
other::r--
for /var/www/mywebsite
joel#server:~$ sudo getfacl -p /var/www/mywebsite
# file: /var/www/mywebsite
# owner: www-data
# group: www-data
# flags: -s-
user::r-x
user:www-data:r-x
group::r-x
group:www-data:rwx
group:devteam:rwx
mask::rwx
other::r--
for /var/www/mywebsite/info
joel#server:~$ sudo getfacl -p /var/www/mywebsite/info
# file: /var/www/mywebsite/info
# owner: joel
# group: www-data
# flags: -s-
user::rwx
user:www-data:rwx
group::r-x
group:www-data:rwx
mask::rwx
other::r--
Now... everything seems to work, except that when one of the developers tries to use git on that folder, they get this error:
fatal: not a git repository (or any of the parent directories): .git
Since I did run git init --shared=group and I know for sure that the directory structure does have .git in it (see structure below), so... I was sure it's permissions.
Once I've added the users to be part of www-data group, they were able to run all the git commands they wanted. (it makes sense, since the files in the directory are with owner: joel group: www-data).
The structure looks like that:
joel#server:~$ ls -la /var/www/mywebsite/
total 107928
dr-xrwsr--+ 16 www-data www-data 4096 Jul 12 06:49 .
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 ..
-rwxrwxr--+ 1 joel www-data 213 Jul 11 01:25 .editorconfig
-rw-rw-r--+ 1 joel www-data 2013 Jul 11 20:48 .env
drwxrwxr-x+ 8 joel www-data 4096 Jul 12 10:55 .git
-rwxrwxr--+ 1 joel www-data 111 Jul 11 01:25 .gitattributes
-rwxrwxr--+ 1 joel www-data 309 Jul 11 01:25 .gitignore
-rwxrwxr--+ 1 joel www-data 412 Jul 11 21:00 .htaccess
-rwxrwxr--+ 1 joel www-data 174 Jul 11 01:25 .styleci.yml
drwxrwsr--+ 12 joel www-data 4096 Jul 11 01:25 helper
-rwxrwxr--+ 1 joel www-data 1686 Jul 11 01:25 mainly
-rw-rw-r--+ 1 joel www-data 1304 Jul 11 01:25 pipelines.yml
drwxrwsr--+ 3 joel www-data 4096 Jul 11 01:25 info
-rwxrwxr--+ 1 joel www-data 707 Jul 11 01:25 story.php
-rwxrwxr--+ 1 joel www-data 2069 Jul 11 09:50 offset.json
The reason it's me as the owner of everything, is because I was the one who pulled it from the repository to begin with, but, it'll probably change since these developers will pull the stuff they need while logging in with their credentials, and, it'll change.
On to my questions:
Is this the right approach to the order and structure of the website?
I don't want my developers to be part of www-data group because, well, because that group is not for them! it's for apache to run the server. What can I do? How can I set it up currectly so that they'll be able to work git without being part of the www-data group? (I thought about chaning the ownership of the whole website to be owned by the devteam group, but, what will happened with apache2 service then?)
How come my /var/www/mywebsite/info doesn't have devteam permissions in it's ACL (do I really need to set it up for all subfolder if it's already setup for the parent?)
Why do I have mask::rwx as part oof my ACL configuration? I don't rememebr I set it up.
Am I doing the right thing with setting the setgid in that way that all my folders are will have the group privileges for executables?
I really appriciate your help on this subject.
The right approach (TM) is to not give anybody access to your server, but have them go through version control and a controlled deployment process - this way you'll have a chance to restore the server after some failure situation, an audit trail of what software was installed when etc.
As a minimum, either you or a script might pull a tagged version from a central git repo every now and then. This way it's only you or the script to ever write to Apache's directory. All developers collaborate through git, in a central repository. They send pull requests, and you'll have a trail of who did what when and why.
On the central repository, somebody merges pull requests, tags - and you're set.
Of course - you can go more fancy, but the situation that you describe sounds like a bad workaround for a problem that nobody should have (live write access to a server, for a dev team of >1 size)
Edit: this even holds on a development machine. If hate to make a change and debug why it doesn't work, only to find out that it's due to somebody else's change, after an hour of useless debugging
Related
In my open vpn server, i am ensuring cron file permission to be only accessable from root user.
I have removed the at.deny and cron.deny files and have created at.allow and cron.allow and 0600 permissions are applied for files, both files are empty and file permissions are as below, which clearly says root has read and write access.
-rw------- 1 root root 0 Jul 21 08:40 cron.allow
-rw------- 1 root root 0 Jul 21 08:40 at.allow
however this change allows my openvpnas user to still list the crontab and even allows to edit cron.
openvpnas#openvpnas2:~$ crontab -l
no crontab for openvpnas
Where as when the file permissions are as below,
-rw-r--r-- 1 root root 0 Jul 21 08:41 cron.allow
-rw-r--r-- 1 root root 0 Jul 21 08:41 at.allow
It restricts my non root users to access or edit cron files! This issue is only with one of my server, where as other server permissions and behaviours are as expected,
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
Please provide your inputs on this, this has kept me blocked from continuing my work.
This issue i faced was in Ubuntu 18.04 instance,
Current /usr/bin/crontab permission was as below,
-rwxr-sr-x 1 root crontab 39352 Nov 16 2017 /usr/bin/crontab
Had to change the group user from crontab to root and file permission to as below,
sudo chmod 4755 /usr/bin/crontab
sudo chown root:root /usr/bin/crontab
-rwsr-xr-x 1 root root 39352 Nov 16 2017 /usr/bin/crontab
This permission restricts the non-root user to schedule cronjobs. The access can be allowed to non-root users by adding the user names in cron.allow file.
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
i am currently trying to get wordpress running on Ubuntu Server 18.04 with apache. I managed to get everything to work, but for some reason i am not able to use ls -l properly anymore on the wordpress directories, in which i played around with permissions. The out-of-the-box permissions didn't allow me to update my themes from the wordpress webinterface.
I can't find a solution to this problem, because the permissions are clearly stating, that i have at least read permission.
Problem: ls -l shows question marks and sais permission denied.
Infos: permissions are rwx for owner www-data, rw for group www-data and r for other. Output of groups includes www-data, so the user should be in the www-data group.
Outputs:
$ ls -l /usr/share/wordpress/
ls: cannot access '/usr/share/wordpress/readme.html': Permission denied
...
ls: cannot access '/usr/share/wordpress/wp-comments-post.php': Permission denied
total 0
-????????? ? ? ? ? ? index.php
...
-????????? ? ? ? ? ? xmlrpc.php
$ groups
*censored user* adm cdrom sudo dip www-data plugdev lxd lpadmin
$ sudo ls -l /usr/share/wordpress/
total 172
-rwxrw-r-- 1 www-data www-data 418 Apr 6 2018 index.php
-rwxrw-r-- 1 www-data www-data 7440 Apr 8 2018 readme.html
-rwxrw-r-- 1 www-data www-data 5697 Apr 8 2018 wp-activate.php
drwxrw-r-- 9 www-data www-data 4096 Jul 20 00:53 wp-admin
...
-rwxrw-r-- 1 www-data www-data 3065 Apr 6 2018 xmlrpc.php
P.S.: Any extra tips for wordpress security are useful.
Thanks
edit forgot the permissions of the directory, still confusing.
$ sudo ls -l -a /usr/share/wordpress/
total 180
drwxrw-r-- 5 www-data www-data 4096 Jul 20 17:13 .
drwxr-xr-x 162 root root 4096 Jul 20 02:40 ..
...
set execute bit permissions for group you belong to.
Added "youri" to the www-data group
grep youri /etc/group
www-data:x:33:youri
youri:x:1004:
When i upload something with FTP, the file permission is -rw-------
ls -all
total 176
drwxr-xr-x 2 youri youri 4096 feb 25 12:38 .
dr-xr-xr-x 3 youri youri 4096 feb 25 12:08 ..
-rw-r--r-- 1 youri youri 17 feb 25 12:27 index.php
-rw------- 1 youri youri 164655 feb 25 12:24 test.pdf (uploaded with FTP)
The file index.php is created by nano and changed the permissions by sudo chown youri:youri index.php
When i access my website it shows me the index.php but /test.pdf gives me an "Permission denied" error
Your webserver has no permission to read the file.
Normally, an ftp server has a configuration value called "umask" which is a value defining what permissions NOT to grant (the binary inverse of the value you would give to chmod)
For a better security, most ftp servers like vsftp ship with a default umask of 055 or 077
As you can see, your index.php is not executable. Although it technically is just read, semantically the script is being executed by your webserver. And the webserver runs as the user www-data.
To have this work, change the following:
- Make youri's default group www-data: usermod -g www-data youri
- Change /etc/vsftpd.conf and set a umask of 022
- Restart vsftpd
- chmod 755 index.php (or delete it and upload it again)
I have added the following to the file /etc/sudoers using the visudo command:
nick ALL=(ALL:ALL) ALL
But when I log in as nick and attempt something like mkdir .ssh I get:
mkdir: cannot create directory ‘.ssh’: Permission denied
Likewise, I cannot save files I have edited.
Running ls -la from the home directory gives me:
drwxr-xr-x 5 nick nick 4096 Apr 7 19:07 .
drwxr-xr-x 3 root root 4096 Apr 7 17:32 ..
-rw-r--r-- 1 nick nick 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 nick nick 3771 Aug 31 2015 .bashrc
drwx------ 2 nick nick 4096 Apr 7 18:29 .cache
drwxr-xr-x 2 root root 4096 Apr 7 19:07 .nano
-rw-r--r-- 1 nick nick 675 Aug 31 2015 .profile
Which if I'm not mistaken is showing that I have no write access to anything. (Correct me if I'm wrong. I'm only passingly familiar with UNIX permissions.)
Why can't this user do anything despite being given full permissions in sudoers?
UPDATE:
This problem fixed itself. I do not know what the problem was but it was no longer a problem when I logged on a couple days later.
For the record, I was attempting to configure a fresh DigitalOcean server running Ubuntu 15.10 x64. My local computer is a MacBook running El Capitan.
My guess is that the remote server restarted or somehow otherwise incorporated the change automatically in the interim. I had already tried running sudo reboot producing no results, so I'm still not sure how this could be.
I was also experiencing some local WiFi connection dropping at the time but as my SSH connection seemed to be operational I'm not sure if this could be related.
I'm also not an expert to Linux, but to me it seems like you have to use sudo mkdir .ssh instead of mkdir .ssh. You allowed your user to behave like root(who has rights to write to directory), but for doing that you have to use sudo command.
Here is the simple explanation of how it works(with pictures): https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
Here is the serious documentation: https://help.ubuntu.com/community/Sudoers
I am currently creating an application that requires separate users running duplicate programs. They cannot run under root because of security reasons, so they are initiated by a Java app that I am working on, and I am starting them with runuser -l. However, I cannot cd into a directory, even though it is owned by the user, and the user has 770 permissions in the folder.
Here's what I'm running:
runuser -l lp1 -c 'java \-jar /root/Desktop/workspace/LitePanel/servers/server1/server.jar \-Xms1024M nogui'
And the output of this is:
runuser: warning: cannot change directory to /root/Desktop/workspace/LitePanel/bin/servers/server1/: Permission denied
Here's an ls -all:
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 .
drwxr-xr-x. 7 root root 4096 Jan 30 14:02 ..
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 server1
Inside the directory:
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 .
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 ..
-rwxrwx---. 1 lp1 lp1 9170551 Jan 31 03:07 server.jar
And here's /etc/passwd:
lp1:x:501:501::/root/Desktop/workspace/LitePanel/bin/servers/server1/:/bin/false
Anyone know why this is happening? It looks like the user has the necessary permissions to do this.
You have said that the directory itself has permissions 770 and is owned by the user, but what about its parents? I believe the cd command will need at least read access (and possibly execute) on the parent directories.