Create Linux user to access folder with rwxrwS--- (2760) permissions - linux

I have a folder that has permissions set to 2760. The folder seems to be owned by www-data user and group.
drwxrwS--- 2 www-data www-data 196 Dec 5 19:52 folder
I added new user to www-data group, but it still cant access the folder without modifying permissions on the folder?
How can I modify the user to allow it to read that folder?
I tried re-logging in, but it still doesn't let the user view the folder.
I just need this user to be able to read / download the files from that folder.
UPDATE:
Added out put of:
getfacl folder
Output:
# file: folder
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::rw-
other::---

With the mode 2760, resp. drwxrwS---, the group has permission to read and write the directory, but can not access anything inside the directory (because the executable bit is missing). You likely want to use 2770, resp. drwxrws--- instead.
The setgroup-id bit is not important when reading files as (in this case, i.e., when set on a directory), it affects the default group of newly created files within the directory. Instead of using the primary group of the current user, new files will be created with the group set to the group of the parent directory (if allowed)
With that being said, if you only want the owner to add files and members of the group to read files from the directory, you can simply use mode 0750, resp. rwxr-x--- on your directory.

Related

Give a specific user permissions to a specific folder from root

I want to give specific users permissions to specific folders, with different levels of permissions (Read, Write, Execute) in Linux. And to do the same for some groups.
For example I want to give the user: sigmundlucas permissions (Read, Write) for promotional_material
Another example is that I want to give the group: testers permissions (execute) for development_project_data_directory
I need to do all of this from the root account as the folders in question don't allow permission to use chmod when signed into the user
I need to add that multiple groups/users need to access some of the files
This is normally accomplished with chown and groups!
Make some groups for you users to be members of
Then chown the directory to be :<group>
For example
groupadd mygroup # create a new group
usermod -aG mygroup myuser # add the group to the user's info
chown :mygroup target_directory # set the group to own the directory
chmod 770 target_directory # root and the group can enter/read/write
You can calculate the chmod with a website like https://chmod-calculator.com/ if you're not used to the numbers
Gotchas
directories need to be executable to be entered
users must be able to read all the intermediate paths to somewhere you want them to be able to write

Strange situation with linux permissions

I have some file and can't delete it.
File created my user www-data:
-rw-rw-r-- 1 www-data www-data 17408 Jun 3 16:18 0.48257900 1464959885_555.png
I am trying to delete it by user lifesim:
rm -rf *
rm: cannot remove '0.48257900 1464959885_555.png': Permission denied
Why I can't delete that file?
lifesim#srvJH:~/public_html/upload/blog/posts/2016-06-03$ whoami
lifesim
lifesim#srvJH:~/public_html/upload/blog/posts/2016-06-03$ id lifesim
uid=1001(lifesim) gid=33(www-data) groups=33(www-data)
lifesim#srvJH:~/public_html/upload/blog/posts/2016-06-03$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(lifesim)
File created by my PHP script.
Lars Fischer is right: you need to have write permission to delete a file from a directory.
As clarified in the comments below the question: your lifesim user has no rights to change the directory containing the file.
Give lifsim or the group "w" permissions on the diretory or use the www-data user for the deletion.
Deleting (or creating) a file means we modify the directory (imagine the directory is just a database document with the file metadata) and remove (or add) the metadata of the file. Thus we must be able to change the directory.

System user permissions for Apache2 files

How to make normal system user permissible for all files created by apache?
I set the www-data group as primiary group for user, but this still doesnt work :/
Created directory (by www-data) have 755 chmods, files have 644.
I dont want to change directories/files permissions every time I want to do something by the user.

How make /var/www contents editable by IDE

I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.

Permission of the webpage folder /var/www on a Linux server

I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www

Resources