Using SSH I've granted access to my SFTP clients user "ec2-user" with the following command:
sudo chown -R ec2-user /var/www/html
However I also need to grant access to Apache which I can do with the following command:
sudo chown -R apache:apache /var/www/html
I assumed this would grant access to both, but this is not the case. How can I apply the command to both ec2-user & Apache at the same time?
When you have executed chown commands, you did next: at first you've changed the owner of /var/www/html to ec2-user, and with next command you've changed the owner and owner group to apache. You can set only one pair of owner:owner-group to file or directory or whatever.
You have at least two ways to solve your task:
usermod -a -G apache ec2-user - this will add user ec2-user to apache group, after that, make sure, that permissions allows apache group members to manipulate files and directories as you need.
Create a subdirectory in /var/www/html with owner set to ec2-user and group set to main apache group and make sure that Apache could access it. You can configure it as a VirtualHost to separate it from original DocumentRoot.
Also, you have to set ec2-user home directory to /var/www/html, because even if it's has rights to access /var/www/html, it isn't necessary that it can access /var or /var/www.
These instructions helped me to get this up and running very easily:
https://devanswers.co/configure-sftp-web-server-document-root/
Here's a cached version:
https://web.archive.org/web/20201203122712/https://devanswers.co/configure-sftp-web-server-document-root/
The idea here is to create a group like sftp_users and then set permissions to that group, adding the user to that group (the link above details all configurations and setup very well)
Related
I have some folders on a ubuntu server running Nginx with the following permissions & groups:
drwxr-xr-x 3 www-data www-data some_folder
I am trying to delete these within a deployment script, as a user called deploy. This user is in the www-data group.
I know that to delete these folders, I need group write permissions (which I currently don't), however the deploy user doesn't have the permissions to set this. I've tried chmod 775 some_folder and also setting the deploy user as the owner with chown deploy some_folder, but I always get this error:
chown: changing ownership/permissions of 'some_folder/': Operation not permitted
How can I delete these folders without using sudo?
Thanks in advance for any help
I have for some time been manually switching my www/html directory user ownership on my EC2 Instance between apache and EC2-user for some time to allow me switch between installing and updating wordpress plugins or using Coda 2 to upload and update files via FTP.
I have finally reached a point of frustration and am wondering what is the best way to set up my ownership settings on the server to cater for both users having access without having to constantly change the settings.
Here are the commands I use to switch between users:
sudo chown -R apache:apache /var/www/html
sudo chown -R ec2-user /var/www/html
Can someone please advise the safest configurations to avoid constantly switching for the foreseeable future?
add your user to the same user group of apache.
sudo usermod -a -G apache ec2-user
then exit your account then change ownership that include ec2-user in the path
sudo chown -R ec2-user:apache /var/www
I have set up the AWS Linux instance and deployed web project and for that project, I need folder permission only by apache user I have root user access for SSH.
How can I do this which will show apache as an owner of the web project?
Apache creates www-data as the user and group.
Example: If the Server web root is /var/www.
sudo chown -R www-data:www-data /var/www
Hope it helps ;-)
I have a big doubt how to setup Apache and Pure-FTPd. I don't know how set folder permissions and secure users to not access other folders outsite their home directory.
My scenario:
Apache running defaults (group apache, user apache)
Pure-FTPd using Pure-DB (internal database, not Linux users) - installed using group "ftpusers" and user "ftpuser"
all sites in /sites
I did:
chown apache:apache /sites -R
To create an user on Pure-FTPd:
pure-pw -u myuser -d /sites/onesite -u ftpuser -g ftpusers
pure-pw mkdb
This way I can connect to a FTP account but cannot transfer (permission denied) or delete files.
I can set all /sites to 777 but I know this is not correct. I want to know the correct way, so users can upload/delete files, Apache can read/write files in each website, and if a user upload something to try read outside the /sites directory he gets an error.
Please, help me to secure my webserver using Apache and Pure-DB, plus Linux permissions.
Thank you!
Roger
Not sure if this is correct: I've created the FTP user using "apache:apache"
pure-pw -u myuser -d /sites/onesite -u apache -g apache
pure-pw mkdb
and set:
chmod 770 /sites -R
So everything runs on apache:apache.
Same issue here. I solved it lowering /etc/pure-ftpd/conf/MinUID to my www-data UID number. Though I'd like to know if there is a better solution.
I just learned to install Apache 2 on my ubuntu linux localhost for the first time. I'm making it work with PHP5.
I noticed that anytime I want to write to a file or directory, I have to chmod 777 the destination.
But from my experience working on 3rd party hosting solutions, I am generally allowed to write to files and dirs that have 755 permissions.
What can I do on my localhost so that I can write to files and dirs with 755 permissions? If the answer to this is very long, can someone send me a link to a step by step guide to do this?
Here are some simple rules for web site content management (under apache) that most people should follow:
All content should be chown'd & chgrp'd to the same user that apache is running as. On new ubuntu installs , the user and group are both "www-data".
If you want to administer the serving files under your own user group, then you should add youself to the www-data group, and make sure that users in this group have read/write access to all the serving files and directories. The caveat here is that you want to make sure not to create new files as your personal account. These should still be owned by www-data. The easiest way to accomplish this is to create the file as yourself, and then chown it to www-data:www-data.
If you do these 2 things, then you should be able to write to files that are being served by apache. I'm not sure where your document root is, but something like this would likely work for most simple installs:
$ sudo usermod $USER -a -G www-data
$ cd /var/www
$ sudo chown -R www-data:www-data .
You probably can't achieve this because the owner of the file is different than the user trying to perform an action on the file.
the permissions are:
owner-group-everyone
rwx-rwx-rwx
i.e. 111 = 7 which allows read/write and execute.
101 = 5 which is just read and execute
you can't write to the file because your logged in user isn't part of the owner/group that has access to the file.
the final 7 (i.e. rwx-rwx-111(7)) means that globally, everyone has read/write access to that file.
how to fix this
In Linux, you can use the chown or chgrp command to achieve your desired results.
First, you will want to find out as which user your PHP code is running. If you are using mod_php5 (package name libapache2-mod-php5) with Apache to run with the "worker" or the "prefork" MPM, this will probably be www-data.
This is no big problem as long as you only run one web application within the server. However, if you run multiple applications (or scripts that are owned by more than one user), you are setting yourself up for all kinds of security-related "fun".