ec2-user does not has permission to write to web folder - linux

I created an apache web server using CFT; this is using RHEL 7. In order to allow ec2-user to modify files in apache document root folder, I added the following in CFT (taken from var/log/cloud-init.log)
Jun 30 16:11:15 ip-10-205-0-135 cloud-init: groupadd www Jun 30 16:11:16 ip-10-205-0-135 cloud-init: usermod -a -G www ec2-user Jun 30 16:11:16 ip-10-205-0-135 cloud-init: chown -R root:www /var/www Jun 30 16:11:16 ip-10-205-0-135 cloud-init: chmod 2775 /var/www Jun 30 16:11:16 ip-10-205-0-135 cloud-init: find /var/www -type d -exec chmod 2775 {} \; Jun 30 16:11:16 ip-10-205-0-135 cloud-init: find /var/www -type f -exec chmod 0664 {} \;
As you can see from log, this went fine. However, when logged under ec2, it gives permission error as below:
[ec2-user#ip-10-206-32-92 html]$ aws s3 sync s3://gfrepo/releases releases download failed: s3://gfrepo/releases/binaries.html to releases/binaries.html [Errno 13] Permission denied: u'/var/www/html/releases/binaries.html' download failed: s3://gfrepo/releases/B1556013/B1556013.jar to releases/B1556013/B1556013.jar Could not create directory /var/www/html/releases/B1556013: [Errno 13] Permission denied: '/var/www/html/releases/B1556013'
I ended up elevating my permission as sudo to complete s3 sync. Not sure why it's giving permission error for ec2-user. Here are the listing of the permissions:
[ec2-user#ip-10-206-32-92 www]$ ls -l total 0
drwxrwsr-x. 2 root www 6 Mar 21 02:33 cgi-bin
drwxrwsr-x. 3 root www 55 Jun 30 16:11 html
[ec2-user#ip-10-206-32-92 www]$ groups ec2-user
ec2-user : ec2-user adm wheel systemd-journal www
As you can see ec2-user is part of www group and www is the owner of html sub-dir


You have to make sure the ec2-user belongs to the group that has write permission
if the directory /var/www/html is owned by root it will not let you write to the folder.
first do you an ls -l on /var/www/html
find out what's the group name, it's next to user
then issue this command
sudo usermod -a -G www ec2-user
You need to add ec2-user to the www group
You're logged in ec2-user, although you're issuing an aws s3 sync command, you need permission to write to the permissible directory, that's why it's failing.
This directory /var/www/html/releases/ does not have the permission.
Could not create directory /var/www/html/releases/B1556013 <----
or su to root and try the command.

Related

Problem with setup specific permissions for folders/files via ACL rights under Debial Linux 9.5

please I want to ask you about setting specific permissions for files and folders via ACL rights under Linux. I have got problem with setup permissions for files. Folders works correctly.
I have got folder:
/test (with permissions -> chmod 777 /test)
Next setup was:
setfacl -d -m u::rwx /test
setfacl -d -m g::rwx /test
setfacl -d -m o::rwx /test
**result:**
file: test
owner: root
group: root
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx
Now, when I create folder all is ok:
mkdir data
drwxrwxrwx+ 2 root root 4096 May 18 13:29 data
But when I create any file, I have got file only with rw-,rw-,rw-
touch data.txt
-rw-rw-rw- 1 root root 0 May 18 13:30 data.txt
Could you please tell me what I doing wrong ? I need to create new files with rwx,rwx,rwx
Thank you very much.

Grant user write permissions on /var/www/html via www-data group

I've setup a new web server, I have created a user 'webuser', and have added the user to the group 'www-data'. When I try to upload a file via SFTP to /var/www/html I get an Permission Denied error.
So far I've tried;
usermod -aG www-data webuser
chown -R www-data:www-data /var/www/html
chmod -R 775 /var/www/html
None of these have allowed write permission on /var/www/html
The details of the folder are:
drwxrwxr-x 9 www-data www-data 4096 Oct 10 10:00 html

Let's encrypt SSL couldn't start by "Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.net/privkey.pem'"

I tried to use SSL by Node.js but it doesn't work because permission denied.
try {
var TLSoptions = {
key: fs.readFileSync("/etc/letsencrypt/live/domain.work/privkey.pem"),
cert: fs.readFileSync("/etc/letsencrypt/live/domain.work/cert.pem")
};
https.createServer(TLSoptions, app).listen(port, host, function() {
console.log("TLS Website started.")
}); catch(e) {
console.log(e)
}
=>
{ Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.work/privkey.pem'
at Object.fs.openSync (fs.js:663:18)
... (Librarys dump)
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/etc/letsencrypt/live/domain.work/privkey.pem' }
So I tried re-make files of *.pem.
rm -f /etc/letsencrypt/live
rm -f /etc/letsencrypt/archive
rm -f /etc/letsencrypt/renewal
sudo ./letsencrypt-auto certonly -a standalone -d domain.work
and check file authority.
/etc/letsencrypt/live/domain.work$ ls -lsa
total 12
4 drwxr-xr-x 2 root root 4096 Jan 3 21:56 .
4 drwx------ 3 root root 4096 Jan 3 21:56 ..
0 lrwxrwxrwx 1 root root 37 Jan 3 21:56 cert.pem ->
../../archive/domain.work/cert1.pem
0 lrwxrwxrwx 1 root root 38 Jan 3 21:56 chain.pem ->
../../archive/domain.work/chain1.pem
0 lrwxrwxrwx 1 root root 42 Jan 3 21:56 fullchain.pem ->
../../archive/domain.work/fullchain1.pem
0 lrwxrwxrwx 1 root root 40 Jan 3 21:56 privkey.pem ->
../../archive/domain.work/privkey1.pem
/etc/letsencrypt/archive/domain.work$ ls -lsa
total 24
4 drwxr-xr-x 2 root root 4096 Jan 3 21:56 .
4 drwx------ 3 root root 4096 Jan 3 21:56 ..
4 -rw-r--r-- 1 root root 1789 Jan 3 21:56 cert1.pem
4 -rw-r--r-- 1 root root 1647 Jan 3 21:56 chain1.pem
4 -rw-r--r-- 1 root root 3436 Jan 3 21:56 fullchain1.pem
4 -rw-r--r-- 1 root root 1708 Jan 3 21:56 privkey1.pem
but It is not resolved and I cannot find any mistakes and problems.
How to resolve this problem?

When you use sudo to issue the certificates, they will be owned by root.
Since node is not run as root, and the permissions on the certificate folder do not allow them to be opened by anyone except the owner, your node app cannot see them.
To understand the solution, let us assume node is running as the user nodeuser
You can get your user on ubuntu by using : whoami or ps aux | grep node
Solution #1 (temporary):
You could switch the owner of the certificates to your node user.
$ sudo chown nodeuser -R /etc/letsencrypt
However, this may break any other items that look at the cert, such as Nginx or Apache.
It will also only last till your next update, which is no more than 90 days.
On the other hand, whatever script you have that renews the cert can also set the owner.
Solution #2 (do not do this):
Run node as root.
sudo node index.js
This will run node as a root user, which means that the terribly insecure surface of node can access everything on your system. Please don't do this.
Solution #3 (do not do this either):
Open the certificates to everyone.
The certificates are stored in /etc/letsencrypt/archive/${domain}/cert1.pem, and are linked to from /etc/letsencrypt/live/${domain}/cert1.pem.
All folders in both of these paths are +x, meaning that all users on the system can open the folders, with the exception of the "live" and "archive" folders themselves.
You can make those open as well by changing their permissions.
$ sudo chmod +x /etc/letsencrypt/live
$ sudo chmod +x /etc/letsencrypt/archive
This is bad as it allows access from other unexpected sources. Generally opening folders to everyone is a bad idea.
Solution #4 (do this):
On the other hand, you can create a limited group, and allow the permissions to only be opened for them.
// Create group with root and nodeuser as members
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert
// Make the relevant letsencrypt folders owned by said group.
$ sudo chgrp -R nodecert /etc/letsencrypt/live
$ sudo chgrp -R nodecert /etc/letsencrypt/archive
// Allow group to open relevant folders
$ sudo chmod -R 750 /etc/letsencrypt/live
$ sudo chmod -R 750 /etc/letsencrypt/archive
That should allow node to access the folders with the certs, while not opening it to anyone else.
You should then reboot or at least logout and in after these changes.
(Many changes to permission and groups require a new session, and we had issues with PM2 until reboot.)
On ec2 instance you can do sudo reboot.
Should something go wrong and you want to revert to original settings follow this
// Delete Group
$ sudo groupdel nodecert
// Reset Permission
$ sudo chown -R :root /etc/letsencrypt/live
$ sudo chown -R :root /etc/letsencrypt/archive
// Check Permissions
$ sudo ll /etc/letsencrypt/

I'm not familiar with Node.js, but it's clearly the same permissions problem as with PostgreSQL. So the same solution should work fine. This allows you to leave the permissions on /etc/letsencrypt as they are :
copy the certificates to your Node.js directory
chown the copied files to your "node" user
You can have a script doing that in /etc/letsencrypt/renewal-hooks/deploy which will be called everytime you renew your certificates.
Example /etc/letsencrypt/renewal-hooks/deploy/10-certbot-copy-certs :
#!/bin/bash
domain=domain.work # using your example name
node_dir=/path/to/cert_copies
node_user=nodeuser
cp /etc/letsencrypt/live/$domain/{fullchain,privkey}.pem "$node_dir"/
chown $node_user "$node_dir"/*.pem

This worked for me:
Copy all pem files that you need into the root folder of your project:
sudo cp /etc/letsencrypt/live/www.your-domain.com/privkey.pem /home/your-username/your-server-directory/privkey.pem
Read the files like so:
.createServer(
{
key: fs.readFileSync("privkey.pem"),
cert: fs.readFileSync("cert.pem"),
},
Grant permissions:
sudo chown your-username -R privkey.pem

I was using ec2-user on Amazon Linux 2 instance and had the same problem. This worked for me:
sudo chown ec2-user -R /etc/letsencrypt

The above top answer by #SamGoody didn't work for me since it didn't set all the group permissions. It worked after I setup the nodecert group as he suggested like this
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert
and then did
$ sudo nautilus
and clicked down to /etc/letsencrypt then right clicked "Properties" and changed the group permissions manually to nodecert "Access files" in the following two folders and their domain name subfolders
/etc/letsencrypt/live
/etc/letsencrypt/archive
Also changed group permissions manually to nodecert "Read-only" for all contained files and symlinks.

Jenkins - copy files to web folder permissions denied

I have added jenkins to the www-data group
jenkins : jenkins www-data
Which owns my html folder
drwxrwxr-x 12 www-data www-data 4096 Sep 4 14:18 html
I try and copy a folder from the build
cp -R resources /var/www/html
but I get the errors
cp: cannot create regular file '/var/www/html/resources/assets/js/app.js': Permission denied
all the files and subfiles are owned by www-data and in the www-data group but I still get the error
cp: cannot create regular file '/var/www/html/resources/assets/js/app.js': Permission denied

Remove www-data owned file using ordinary user

i have a folder which contain uploaded file. for example /var/www/app/storage/public :
ls -al /var/www/app/storage/public
-rw-r--r-- 1 www-data www-data 835870 Aug 22 13:42 8b4c4e2a3d64.pdf
-rw-r--r-- 1 www-data www-data 835870 Aug 22 13:24 3d326ab2b3bc.pdf
I want to make a script to clean up that directory without using root user. What should i do if i want to delete those files using ordinary user like sanders so i can do something like:
sanders#localhost:~$ rm -rf /var/www/app/storage/public
Thank you :)

You will have to add this user to your "www-data" group:
sudo usermod -a -G www-data sanders
Then, make sure your folders have the correct group permissions:
sudo chgrp -R www-data /var/www/app/storage/public
sudo chmod -R g+w /var/www/app/storage/public

Resources