I was changing user and group ownership using the following command:
sudo chown -R apache:www /var/www
However, I noticed that whenever I added a new file or folder to that directory, the owner would be my current username instead of the intended user, apache. How can I modify the above command so that all future folders and files will be owned by apache:www? Or do I need to use an extra command?
You can use ACLs to do this. For example:
$ ls -ld /var/www
drwxr-xr-x 2 apache www 4096 Aug 7 13:53 /var/www
$ sudo setfacl -dRm u:apache:rwX,g:www:rwX /var/www
$ ls -ld /var/www
drwxr-xr-x+ 2 apache www 4096 Aug 7 13:53 /var/www
$ getfacl /var/www
# file: var/www
# owner: apache
# group: www
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:www:rwx
default:mask::rwx
default:other::r-x
When new files are created there by they will still be owned by your user, but there will also be an ACL set on it granting privileges to the apache user:
$ touch donkey
$ ls -l donkey
-rw-rw-r--+ 1 gene gene 0 Aug 7 13:57 donkey
$ getfacl donkey
# file: donkey
# owner: gene
# group: gene
user::rw-
user:apache:rwx #effective:rw-
group::rwx #effective:rw-
group:www:rwx #effective:rw-
mask::rw-
other::r--
An overview of the command:
setfacl -dRm u:apache:rwX,g:www:rwX /var/www
The -d flag specifies the operations apply to the Default ACL.
The -R flag sets operations to apply recursively
The -m indicates it will be a modification operation
Then after that it's pretty straight forward
u:USERNAME:permissions
g:GROUPNAME:permissions
These entries must be separated by a comma.
The X permission (note: it's uppercase) means it will only be applied to directories and not files.
You can achieve that on the group level by using the SETGID (SET Group ID) flag of chmod:
chmod g+s <directory>
From the docs:
On most systems, if a directory’s set-group-ID bit is set, newly created subfiles inherit the same group as the directory, and newly created subdirectories inherit the set-group-ID bit of the parent directory.
Once you set that, newly created files and directories inside <directory> will be set to <group>. e.g.
chmod g+s /srv/www
will cause newly created files and directories inside /srv/www to have the group www.
You can verify that by executing ls -al which will show s for the group "execute" permission on the directory. e.g.
drwxr-sr-x. 5 apache www 4096 Mar 13 20:32 www
^
SETGID
My guess is you need to change user before executing the command - a script something like this:
$whoami
user1
$ su - apache
Password:
$ whoami
apache
[add file]
$ exit
Related
How can I prevent changing the ownership of a file?
I have a file with permission as follows:
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
As part of RPM package installation, I am running a script which is supposed to write data into NCI_Constellation.proj file. Whereas the permission of the file is getting changed as follows during package installation and the writing to the file is not happening.
-rw-r-----. 1 root root 1689 May 8 14:54 NCI_Constellation.proj
Is there a way to not change the ownership of NCI_Constellation.proj file and keep it as it is as follows so that I will be able to write data to the file?
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
Please help.
The question is: what package does that file belong to and with what permissions?
rpm -qf /path/to/NCI_Constellation.proj
will give you the package owning this file (let's say NCI.rpm). Then
rpm -qlv NCI.rpm | grep NCI_Constellation.proj
will give you the owners and rights of this file as packaged by NCI.rpm. If you are the one packaging NCI.rpm; you should put something like this in your %files section:
%files
%attr(640,netcool,ncoadmin) /path/to/NCI_Constellation.proj
By the way make sure that you really can write to the file with those permissions; test that first... Who is running the script to change this file? As which user? then run it yourself manually as that user to make sure these file permissions will suffice.
you have two options in my opinion,
first : set netcool to root group by doing this:
$ sudo usermod -a -G root netcool
with this command you user is able to change and modify the file even after the permissions changed.
second : set netcool user a second root user by changing /etc/passwd file.
for this open the file with every file-editor you want then change UID and GID to 0. after doing this if you run $ grep netcool /etc/passwd you should see :
netcool:x:0:0: {the rest may change for anybody}.
We can prevent the changing of group of file by using setgid bit on directory. So if you add user netcool to ncoadmin and give write permission to ncoadmin then you can edit the file. Here is how you can set the SetGid bit on directory.
chmod g+s your_directory_containing_file(NCI_Constellation.proj)
Bit more about the setgid on directory:
setgid can be used on directories to make sure that all files inside the directory are owned
by the group owner of the directory. The setgid bit is displayed at the same location as the x
permission for group owner. The setgid bit is represented by an s (meaning x is also there)
or a S (when there is no x for the group owner). As this example shows, even though root
does not belong to the group proj55, the files created by root in /project55 will belong to
proj55 since the setgid is set.
root#RHELv4u4:~# groupadd proj55
root#RHELv4u4:~# chown root:proj55 /project55/
root#RHELv4u4:~# chmod 2775 /project55/
root#RHELv4u4:~# touch /project55/fromroot.txt
root#RHELv4u4:~# ls -ld /project55/
drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/
root#RHELv4u4:~# ls -l /project55/
total 4
-rw-r--r-- 1 root proj55 0 Feb 7 17:45 fromroot.txt
My application is hosted on ubuntu in public_html folder. When I run the command git add . it gives me the error:
warning: could not open directory 'public_html/': Permission denied
Entire code is in public_html folder
How can I solve it?
You should make sure so that your user has access or is the owner of the folder and it content. You can check the current owner and permissions by running:
ls -l public_html
Here I list all non-hidden files in a test folder:
who:test who$ ls -l
total 0
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test1
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test2
The output shows that both files are owned by the root user and belongs to a group named admin. The first column also shows the access permission, which in this case is set to read and write access to everyone.
If you would like to change the owner you can do:
sudo chown -R <user>:<group> public_html
The above will set the owner of the folder and all its content to the specified user and group; you might need sudo privileges to do this.
There is possible to only change the owner or group with the same command:
sudo chown -R <user> public_html
sudo chown -R :<group> public_html
To change the permission you would use:
sudo chmod -R <mode> public_html
Where mode is the permission, for instance 0777 for full read and write access to everyone. You can also use letters instead of an octal number when setting permissions, for instance:
sudo chmod -R a+rwx public_html
gives the same result as the first chmod command.
References
The chown command: https://ss64.com/bash/chown.html
The chmod command: https://ss64.com/bash/chmod.html
If I do:
ls -al /usr/local/bin/kill-all-sales-apps
I see:
-r-xr-xr-- 1 jenkins root 68 Aug 4 12:10 kill-all-sales-apps
If I sudo to root and then su to jenkins, I should be able to delete this, yes?
Other relevant information about the directory and its parent:
drwxr-xr-x 2 root root 4096 Aug 4 12:11 .
drwxr-xr-x 10 root root 4096 May 7 17:20 ..
If I do:
groups jenkins
then I see than the user "jenkins" has been added to the "root" group:
jenkins : jenkins root run-server-software
But if I:
rm /usr/local/bin/kill-all-sales-apps
I get:
rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied
Why is permission denied?
As to why the jenkins user can't delete, the jenkins user needs write permissions on the parent folder of the file you're looking to delete. This is because you're actually removing directory entries from the parent folder.
Usually, on most filesystems, deleting a file requires write
permission on the parent directory (and execute permission, in order
to enter the directory in the first place). (Note that, confusingly
for beginners, permissions on the file itself are irrelevant. However,
GNU rm asks for confirmation if a write-protected file is to be
deleted, unless the -f option is used.)
Source: Wikipedia - Rm_(Unix)
So try running...
ls -ld /usr/local/bin
And make sure the jenkins user has write permissions on /usr/local/bin
Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here's an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.
For example:
[root#joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root#joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root#joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe#joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# visudo
[root#joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig 2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers 2015-08-04 17:24:21.258274163 +0200
## -101,6 +101,7 ##
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
+joe ALL=(root) NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/
I have application running on ubuntu 12.04 and when user submit file using submit form I got permission denied error. So it seems that user don't have permission to write. when I'm logged in as root and use ls -l folder_name it write
drwxrwxr-x 2 root root 4096 Dec 5 01:17 folder1
drwxrwxr-x 2 root root 4096 Dec 5 01:17 folder2
when I use chown myuser folder_name and repeat ls -l folder_name it gives me the same output so myuser is still not owner of the folders. How can I add myuser as owner of existing folders and all newly created folders inside existing folders.
`
Several things to consider-
owner is root so either 'sudo chown' or become root to do the change
chown myuser:mygroup to change both the owner and group (or chgrp)
from your question it sounds like this is from a web page, so it will probably need to be owned by apache:apache or whatever your webserver runs as
you can't specify the owner of all newly (future) created folders inside these, just who has permissions (chmod) to create folders and then depends on what user is trying to do the creates.
the command is:
sudo chown -R apache:apache folder1
Here is the problem.
Cache stores in app/cache folder. I'm currently work under dev environment and my cache stores in app/cache/dev folder. Problem appears when I use symfony console comand for cache clearing:
php app/console cache:clear
when I try to load my project localhost/symfony/dev_app.php I receive an error:
RuntimeException: Failed to write cache file
I've installed setfacl extension, because Debian does not support chmod a+ and here is what I've done:
At first, I checked which user used when http requests performed:
ps aux | grep http
ahmed 7219 0.0 0.0 7552 884 pts/0 S+ 19:51 0:00 grep http
Then I cleared app/cache folder by performing
rm -rf app/cache/*
Next step was:
setfacl -R -m d:u:ahmed:rwx,ahmed:rwx app/cache
As I understand, this command sets default permissions for user ahmed on app/cache folder and it current and new subfolders and files.
In my console I work under ahmed user.
After all this steps I loaded localhost/symfony/dev_app.php and cache was created. Then
php app/console cache:clear
And once again **ocalhost/symfony/dev_app.php* to create new cache. But I still receive this error
RuntimeException: Failed to write cache file "/var/www/local/symfony/app/cache/dev/classes.php".
So what am I doing wrong?
Here is the listing of getfacl for app/cache/dev
ahmed#ahmed:/var/www/local/symfony$ getfacl app/cache/dev
# file: app/cache/dev
# owner: root
# group: ahmed
# flags: -s-
user::rwx
user:ahmed:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ahmed:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
The web server group (probably www-data) needs to be able to write to the cache and so does your user. Your user (ahmed) should be a member of the www-data group (note that you will have to re-login for group membership to take effect). Setting the setgid bit (+s) on app/cache and app/logs will ensure that files and directories your user creates within those will maintain group ownership by www-data. Uncomment the umask(0002) line within app_dev.php so that files created by www-data will maintain group ownership, make sure YOUR user has a umask of 0002 (type umask at prompt to see, or umask 0002 to set, and google for help on setting this at login) and ensure that your permissions look something like:
drwxrwsr-x 13 user www-data 4096 2013-05-10 11:05 dev
When your user ahmed creates files/directories within the directory owned by ahmed.www-data with +s, you should find that they are also owned by ahmed.www-data.