I have set up the AWS Linux instance and deployed web project and for that project, I need folder permission only by apache user I have root user access for SSH.
How can I do this which will show apache as an owner of the web project?
Apache creates www-data as the user and group.
Example: If the Server web root is /var/www.
sudo chown -R www-data:www-data /var/www
Hope it helps ;-)
Related
I have a folder web that jenkins manages:
/var/lib/jenkins/workspace/myweb
*jenkins user is the owner
and from nginx I set up the default site with:
root /var/lib/jenkins/workspace/myweb/build;
before when the site was in /var/www/html was working well, the owner
not now, how I can set up the rights for the web folder to www-data ?
You can use chown command this way
sudo chown www-data:www-data /var/lib/jenkins/workspace/myweb
Using SSH I've granted access to my SFTP clients user "ec2-user" with the following command:
sudo chown -R ec2-user /var/www/html
However I also need to grant access to Apache which I can do with the following command:
sudo chown -R apache:apache /var/www/html
I assumed this would grant access to both, but this is not the case. How can I apply the command to both ec2-user & Apache at the same time?
When you have executed chown commands, you did next: at first you've changed the owner of /var/www/html to ec2-user, and with next command you've changed the owner and owner group to apache. You can set only one pair of owner:owner-group to file or directory or whatever.
You have at least two ways to solve your task:
usermod -a -G apache ec2-user - this will add user ec2-user to apache group, after that, make sure, that permissions allows apache group members to manipulate files and directories as you need.
Create a subdirectory in /var/www/html with owner set to ec2-user and group set to main apache group and make sure that Apache could access it. You can configure it as a VirtualHost to separate it from original DocumentRoot.
Also, you have to set ec2-user home directory to /var/www/html, because even if it's has rights to access /var/www/html, it isn't necessary that it can access /var or /var/www.
These instructions helped me to get this up and running very easily:
https://devanswers.co/configure-sftp-web-server-document-root/
Here's a cached version:
https://web.archive.org/web/20201203122712/https://devanswers.co/configure-sftp-web-server-document-root/
The idea here is to create a group like sftp_users and then set permissions to that group, adding the user to that group (the link above details all configurations and setup very well)
I want to install and use prestashop but now it only works correctly when I set permissions to 777 (I can login to the server via shell with root privileges). While installing I get this error "recursive write permissions for apache user on..." and only works for permissions set to 777. I don't like this idea because after installation I can't even change back to 755 or 775. I also get problem partly solved when I change the user ownership to apache but then I can't do anything with my ftp client with that folder.
The user owner is ftp and the group owner is psacln? How should I change the membership of the folders so I can work both through ftp and allow apache to do things with presta files? (and of course have the permission set not higher then to 775). BTW, do I have to restart a server when adding or removing user's membership of the group?
This should fix your problem.
ssh root#ip_address
chown -R www-data:ftp /var/www/prestashop
You don't need to restart the server.
Optional :
service apache2 reload
I have a big doubt how to setup Apache and Pure-FTPd. I don't know how set folder permissions and secure users to not access other folders outsite their home directory.
My scenario:
Apache running defaults (group apache, user apache)
Pure-FTPd using Pure-DB (internal database, not Linux users) - installed using group "ftpusers" and user "ftpuser"
all sites in /sites
I did:
chown apache:apache /sites -R
To create an user on Pure-FTPd:
pure-pw -u myuser -d /sites/onesite -u ftpuser -g ftpusers
pure-pw mkdb
This way I can connect to a FTP account but cannot transfer (permission denied) or delete files.
I can set all /sites to 777 but I know this is not correct. I want to know the correct way, so users can upload/delete files, Apache can read/write files in each website, and if a user upload something to try read outside the /sites directory he gets an error.
Please, help me to secure my webserver using Apache and Pure-DB, plus Linux permissions.
Thank you!
Roger
Not sure if this is correct: I've created the FTP user using "apache:apache"
pure-pw -u myuser -d /sites/onesite -u apache -g apache
pure-pw mkdb
and set:
chmod 770 /sites -R
So everything runs on apache:apache.
Same issue here. I solved it lowering /etc/pure-ftpd/conf/MinUID to my www-data UID number. Though I'd like to know if there is a better solution.
I have a web application wrote in php , working with Apache in a Linux server, the problem is that this server can be access by many users, what I want to do is , restrict the htdocs folders without broke the permissions that need Apache in order to display the web application.
My idea is something like this:
User Administrator (is in the sudo group, and in administrator group) Have access to htdocs.
User Deb (is in the sudo group,and in standard group) No have access to htdocs
By access I mean, copy and modify, the php files.
In most Linux distributions Apache is run under a specific user, for example apache under Red Hat and www-data under Debian and Ubuntu. The root user and every user in the sudo have access to all files on the file system. Combining these gives you your solution: change the owner of the htdocs directory to the user under which the server is run and change the rights on the htdocs directory to 0700. So:
$ cd /[path to parent dir of htdocs]/
$ chown <apache user>:<apache group> htdocs
$ chmod 0700 htdocs
This way only the apache server user, root and users in the sudo group have access to the htdocs directory.
You can set the htdocs folders to be readable only by group www-data and add users who are allowed to do changes ther into the www-data group.
drwxrwx--- www-data www-data vhosts/