I have a webapp setup on cPanel/Apache/CentOS
If I set the permission of directories under document root to 755, it works OK. However, if I change any directory permission to 754 (revoke execute permission from OTHER group), the web server refuses to serve any file under the folder, resulting in 404 not found error.
Apache is running as the file owner, so why does it bother to care about the OTHER's execute permission?
Apache is running as the file owner, so why does it bother to care about the OTHER's execute permission?
Are you sure about that? Apache is almost never configured this way, outside of exotic setups like mpm-itk. The web server is usually configured to run as a separate user, often as www-data, httpd, or nobody. These users are not members of your group, so they rely on the "other" privilege mask.
Depending on your site configuration, you might be able to add an access control list to the document root to explicitly allow the web server user, or chgrp your document root to a group shared with the web server to use group privileges instead. (Or you might not. No guarantees.)
Related
question2:as to the filefolders, wordpress know their structure. so, we need not set r permission to any filefolder?
Its been a while since I have had anything to do with wordpress but since your a nice girl I will try to help you out:
generally Execute is required for executing scripts such as php or perl, to review your wordpress permissions have a look at
Wordpress Linux file permissions and group
this has a tidy shell script to define correct permissions.
generally everything WWW has to have read permission otherwise its not readable.
Again apache should be fine since the underlying process running the virtual site for a user should be apache - unless you are running some form of strange apache config where the apache user becomes real user for a virtual host (never seen nothing like it - unless we are talking IBM http server or something). So by giving apache user the correct permisions should work.
suppose i am a website viewer,how can i write a file in those folder with file owner is nobody?
This would be actually apache user, me visiting your site hitting your page would trigger apache to server that page and the unerlying user serving that page would be that apache user if it happens to be nobody:nogroup then thats who needs the relevant permissions to write to the folder.
so if you have /var/www/html and it is owned by root and your apache process is running as nobody then nobody can not write into root owned folder.
I'm working on a project which uses a folder full of flat-file databases. I'd like to make sure these databases are only accessible to scripts running off the server, so I set the folder permissions to 700.
This results in all scripts functioning properly, but a 403 Forbidden whenever I try to access the database folder in my browser. This is good.
However, I'm wondering: am I missing something? Is there any way — short of gaining access to my FTP account – for an outside user to access this folder? Or can I rest easy?
The proper solution is storing them outside the document root. If you cannot do that, but know that Apache will be used, create a .htaccess in the folder with the following contents:
order deny, allow
deny from all
Using filesystem permissions may or may not work depending on the environment - in a perfect setup the webserver would use the same uid as your system user that owns the files. Then your approach wouldn't work.
I have a java servlet. When it saves files, it saves them as tomcat:tomcat (in a linux environment). I actually need it to save it as sportsfan:tomcat as sportsfan is the FTP user and also needs access to create, modify or overwrite these files.
I thought about running tomcat as sportsfan:tomcat, but I'm running multiple applications under the one tomcat instance.
Perhaps the best way to do this would be to have the FTP user log in as part of the tomcat group. Would that be a correct way?
Please advise.
Adding your sportsfan user ftp to the tomcat group could be a good solution but before that check which are the modifiable files in you system with this permission and consider the security risks.
Another solution: Create a sportsfan group and add your sportsfan user to it. Then change the group of your upload directory and set it as setgid:
chgrp sportsfan upload
chmod g+s upload
After that the new files in the upload will be created with tomcat:sportsfan owner:group. It's not exactly what you asked for but changing the user id (setuid directories) is not supported on Linux. Wikipedia has a pretty good article about setuid and setgid directories. Futhermore, you have to set the umask value of the tomcat user to 000x (e.g. 0002) or a similar value which gives full access to the group.
3rd solution: set up a cron job which changes the permission in every n minutes.
I have installed joomla on my new account . All the files are showing the FTP username as the owner of files . But when i go to joomla admin section and check directory permissions , it says the few folders are unwritable .
Does it mean that admin page is using different user than FTP username
Its not about ownership, usually its about permissions. If you want to understand it all - there is a quite extensive FAQ
http://forum.joomla.org/viewtopic.php?t=121470
Short one - look into the the test results - note the files and directories to be changed. Depending on the security configuration of your Web server the recommended default permissions is:
755 for directories
644 for files
change them. For Filezilla (a free ftp client - my best guess on what you are using) a good tutrial how change file permissions is :
http://www.codeunit.co.za/2008/07/18/remotely-changing-multiple-linux-file-permissions-with-filezilla/
Since the owner usually has the most rights, changing the ownership of all files to the http-server process owner could also work' but then again - you would have to do this each time and its not possible via ftp.
Yes, if this is hosted on apache, the apache server usually runs as user www-data.
Is there a way that I can secure the webapps folder in Tomcat from direct access from a system user? In other words, I dont want a user to logon to the server machine and access the webapps folder. However, id still like the contents of the webapps folder to be served accordingly.
Would a soloution such as TrueCrypt to encypt the folder work? Or something like Windows admin rights? However, id still need a user to logon to the server machine to start and stop tomcat (bin folder) but not have access to the webapps folder.
Update Feb 15 '11: Yes, it's to stop someone logging onto the server machine and deply/undeploy. Since I'm going to be using a windows machine, I will probably restrict access to the tomcat folder and create an exe on the desktop to start and stop the services.
I am not sure what you mean by "access webapps folder", I will assume this means user can deploy/undeploy webapps and start/stop Tomcat. In Unix this can be doable as follows:
create a user for Tomcat. Change umask so all created files are only readable by this user and no one else, similar for directories.
create a user (e.g. system) that will be stopping/starting Tomcat.
give sudo rights for user system just to be able to start/stop Tomcat. You can, for example, externalize catalina.sh start and catalina.sh stop scripts somewhere in /usr/local/bin and give sudo access to those.
create a script that takes yourwebapp.war and copies to $tomcat_home/webapps or invokes relevant Tomcat manager command (for deployment/undeployment). Again, give sudo rights just for that script but otherwise change it's mode to 700 so it is not even readable by system user.