As a web developer I always have the problem when updating PHP (and other) files from an SSH client, because I am logged in as a user or simply root.
After that update I always have to run manually from a terminal 'chown -R apache:apache *' to make the files accessible.
I tried to make a user ID and add it to the group 'apache' and add the apache user to the group of my user id. That works only for existing files on the server file system, because newly created files have permissions rwxr--r-- which does not allow writing by my user even as it is in the 'apache' group.
I'd like to make a login (shell is not needed) for the Apache user, so I can use an SSH based file browser like Forklift to login as Apache or use sshfs to mount as Apache user.
Another way is make umask that my user id always sets attributes of newly created files from sshfs mount or a file browser (mounted with my user id, not root) that they have permission rwxrwxr-- (i.e. 0775) by default.
Is there a way I can upload files to the server (updating existing op create new ones) without having to worry about permissions by Apache ?
You have to set the setgid
For example, do the following steps:
adduser hugo
addgroup apache
usermod -a -G apache hugo
mkdir /tmp/example
chown hugo:apache /tmp/example
chmod g+s /tmp/example
su hugo
cd /tmp/example
touch my_file
ls -l
Related
I work under Centos 7.
For some time, I have a problem with the FTP /home/students directory whose access rights( permission) is set to 750. When I create a file as user students the file access permission is 644 (read/write for the owner and read-only for other users). But when the students user receives files by SFTP (with authentication by ssh key), the permission of these files is 600.
Can the right of access (permission) be imposed by the one who uploads the file by SFTP?
How to make the default permission for files received by SFTP automatically 644?
Thank you
I think u should do something like this > Modify /etc/ssh/sshd_config :
Subsystem sftp internal-sftp -m 0644
Then u should reload the SSHD Configuration :
sudo systemctl reload sshd
I am trying to display my logs on my website to verified users in Laravel based on my role based access control.
$file = fopen("/var/log/auth.log", "r") or die();
$content = fread($file, filesize("/var/log/auth.log"));
fclose($file);
This hits me with an error:
fopen(/var/log/auth.log): failed to open stream: Permission denied
I can see that Laravel does not have the correct read permissions for this file and I do not what to do a typical chmod -R 777 due to security. I am using nginx but Laravel executes with php-fpm.
What user-group does my site execute in? What permissions should I give that user-group on my log files?
Try:
chown {your_user}:nginx /var/log/auth.log
chmod ug+rwx /var/log/auth.log
For this situation it's strongly not recommended to change permissions like "chmod 0777" (the same 777), "chmod 0755" (the same 755) or something like that for avoiding security vulnerabilities.
Actually the files which will used by web-server, will attach to your "storage" directory. You can just change owner, as web-server user (Apache or Nginx). Lot of cases it's "www-data".
Also don't forget about bootstrapped cache-files (configurations, services and packages) under "bootstrap/cache" directory.
sudo chown -R www-data:www-data storage/ bootstrap/cache/
After this, when you will want to run some artisan-commands, you can do them with "sudo", or just can make the current user as owner:
sudo chown -R $USER:$USER storage/ bootstrap/cache/
And after running your command(s) you can revert back the owner to "www-data" user (1-st command).
The advantage of this method is that this will not be tracked by version control system.
I want to create an own git server. I started with a root user and here is the following I did:
mkdir /srv/git/project.git
useradd -r -d /srv/git git
passwd git
Now I have a new user git (can log in via su git from my root account).
I want to login via git#mywebsite.com without the use of a password. Right now, it will ask for a password every time.
For root, I have my SSH public key in .ssh/authorized_keys. The key should also work for git. Do I have to add another authorized_keys file for this git user? With my useradd command, I do not create a home directory where I could add it, so where should it go?
Thank you all for your help!
Run sudo tail -f /var/log/auth.log and attempt to login once more from a different console. You will see now the lag that should tell you why exactly the login was denied.
In my case there were wrong permissions for the home folder.
You did create a home directory, it just isn't sitting under /home.
/srv/git
Under that directory create a .ssh directory, fix the permissions:
mkdir /srv/git/.ssh
chmod 0700 /srv/git/.ssh
Create a new authorized_keys file with the public key in it, fix the permissions:
vim /srv/git/.ssh/authorized_keys # or method of your choice
chmod 0600 /srv/git/.ssh/authorized_keys
We are using sudo users with limited commands to execute and assigned default home directory /home/sudouser but if that particular sudo user is running command cd \ its changing the directory to the main root directory /. This behaviour is totally insecure for us.
We need it such that if the sudo user is entering cd / or cd it changes directory to their home directory /home/sudouser
Please let us know how we can implement this?
Don't ever try to restrict a sudo user to only a directory or a command, a sudo user can by definition do what he wants.
In your case, having a script that assigns the home directory is I think a better idea. To solve the trouble of permissions look for the suid bit in permissions: http://www.linuxnix.com/suid-set-suid-linuxunix/
For example: create a sh file that has the following permissions: "-rwsr--r--" that is owned by root and as a group that can be accessed by the user whom you want to use the script.
Then in the file you create a simple script to execute the command to change default directory with let's say two parameters (username and directory)
I setup a virtualhost for Apache server on Linux, set the document root to /home/someuser/www
Now the permission of /home/someuser/www is default, the problem is Apache can not write to /home/someuser/www
Is there a way to make sure Apache has ability to read&write to /home/someuser/www, I do not want to set www/ as 777.
At the moment, there is a folder named cache/ in www/, when apache generate cache files in cache/ folder, I want to use my user to make change to www/cache/*.
Thanks.
Add the www-data to your user group. As root, replace <groupname> by the user group name:
usermod -a -G <groupname> www-data
Allow the group to read/write in the folder and setgid:
chmod -R g+rws /home/someuser/www