The default ownership for public_html was myusername:nobody
drwxr-xr--. 18 myusername nobody 4096 Jun 1 16:06 public_html/
I changed this to myusername:myusername since I need to access a file inside public_html using the following command
# chown myusername:myusername public_html
It worked and ownership changed.
Now I'm not able to change the ownership back to myusername:nobody. I'm using this command
chown livegiftcard:nobody public_html
and it gives me the error
chown: changing ownership of âpublic_htmlâ: Operation not permitted
I have also tested this with sudo and also chgrp but no luck.
Also I could not run my website. Browser gives me the following error.
Forbidden
You don't have permission to access / on this server. Server unable to
read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to
use an ErrorDocument to handle the request
Problem:
The apache/nginx has a user, who needs to read the files in the Docroot. Default user and group is: www-data:www-data. I'm not user if this is correct in your case.
Now the files are owned by myusername:myusername and the apache/nginx user is probably not in the the group "myusername". So if you have some knowledge about the permission system of linux, the webserver user have only the rights everybody have (third column). When the group was set to nobody, the files weren't owned by any group and every user can act under the group permissions. In your case I guess the group can read all files and all other can't.
What you can do:
Give all others the right to read the files with
chmod -R o+r public_html
Now everybody, including the webserver user can read the files and you will not get the 403 error. -R is for recursive, so every file and directory under public_html will get the readable flag too.
Another thing is to add the webserver user to the group "myusername" so the webserveruser can use the group permissions too.
The third and last possibility which came to my mind is to change the group to "nogroup" instead of "nobody" because nobody is the user and nogroup the group.
Related
Scenario:
bob owns directory x
bob has set permissions on x to 777
jim can't write to x. Why?
Actual output:
ls -la .pip/
total 12
drwxrwxrwx 2 user1 user1 4096 May 5 12:03 .
drwx------ 5 user1 user1 4096 May 6 11:34 ..
-rw-rw-rw- 1 user1 user1 2054 May 5 12:48 pip.log
sudo -S -p 'sudo password:' -u "apache" /bin/bash -l -c "mkdir .pip/monkey"
/bin/bash: /home/user1/.bash_profile: Permission denied
mkdir: cannot create directory `.pip/monkey': Permission denied
Ultimately I'm trying to pip install as apache user and that user is not allowed to write the install log, so the process fails. I need to write the log as apache user, but it lives in my user space. I could change the owner, but this process is supposed to work for any user, even new ones, so it's somewhat confusing what I'm supposed to do to achieve this.
UPDATE:
I understand from http://linux.die.net/man/2/path_resolution that it is the fact that apache does not own user1's home directory, so the directory search won't work. Is this the case?
Disclaimer: At the time this answer was composed, the question did not clearly identify working directories. If assumptions documented in the answer are incorrect, the folders mentioned in the answer may need to be adapted accordingly.
It appears that the question asks why user apache cannot operate under:
/home/user1/
It also appears that /home/user1 may have permissions set to drwx------ as these permissions are typically used to help secure private data that can accumulate in the root of the user's home directory.
If the above is true, then it is normal for apache to not be able to work under /home/user1/ because it does not have traversal rights to /home/user. Such rights can be added in various ways. The simplest, but not particularly safe way to do it is something like:
sudo chmod o+x /home/user1
It would then be possible for /home/user1 sub-folder permissions to be tightened and loosened to fit the need. It would be better to use group permissions than world permissions, but you should probably create a special group for this purpose rather than making apache a member of the user1 group. An even better solution would be to use an ACL that grants apache traversal rights to /home/user1 without opening the user's home directory up to a wider audience.
Be careful. Loosening permissions with the aforementioned command can give all users on the box access to sub-directories of the user's home directory if their permissions are not suitably tight.
Note: Security mechanisms on some systems might get annoyed by loosening of user home directory permissions and interfere with manual overrides. This could happen, for example, on a distribution that has msec configured to a relatively high security level. Without more detail given about the system configuration, it is somewhat difficult to anticipate potential problems. For example, unless an exception has been made for particular file system areas, on an msec managed system with high security set, msec will periodically rewrite directory permissions that it monitors if it does not consider the permissions compatible with the configured security level.
I'm trying to give read permissions to lighttpd access logfiles to normal users which are on the same system.
The permissions are currently:
-rw-r--r-- 1 www-data www-data 211K Feb 28 11:27 /var/log/lighttpd/access.log
So, if I understood correctly others have read permissions. Unfortunately this doesn't seem to work. If I try to read this file with an user account I get:
/var/log/lighttpd/access.log: Permission denied
I already tried to add the user to the group www-data which didn't work as well.
Any hints what I'm doing wrong here?
To access a file, the system needs the execute permission on all the directories containing the file.
In this case it was necessary to issue the chmod o+x /var/log/lighthttps command (after making sure that the user belongs to the "other" part of the permission set).
The "execute" permission for a directory allows you to enter it. The "read" permission for the directory allows you to see the names of the files inside. The interesting thing is that you can give the x permission alone, what means that anyone can access the files inside, but he needs to know its names.
You might not have execute permission for the lighthttpd so the directory does not give the permission to access its containing file.
Use the command to set the execute permission to that directory.
chmod +x /var/log/lighthttpd
How to make normal system user permissible for all files created by apache?
I set the www-data group as primiary group for user, but this still doesnt work :/
Created directory (by www-data) have 755 chmods, files have 644.
I dont want to change directories/files permissions every time I want to do something by the user.
I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www
I've run visudo and added my username to the list to be able to do whatever I need to rather than logging in as root user.
I have my svn push out file's through ftp as user www-data, and therefore when I try to cd into those directories, I get permission denied.
Any thoughts? Can I add my username to some config file somewhere to have access to all files?
When you use sudo, you are running as the root user, but only for that particular command. I think the easiest thing to do would be to ensure that you and www-data are in the same group, and set the group permissions accordingly. (e.g., chmod 775 yourdir)