What's the correct file owner to use locally for a joomla project, which is under svn?
When all my files are owned by apache user, I cant update my project from svn (& I cant edit these files with my normal user).
And when my files are owned by my normal user, joomla administration (Information tab) shows that some directories are read-only. Should I change only the owner of these directories (plugins, tmp...) to apache user, and let the other files owned by my user?
I have to find a compromise between the two users (apache & normal user).
Ideally you should use a different user for each site, and use the same user for svn/git.
But assuming that's not possible, keep in mind that Joomla needs to write to the folders below. Additionally, without a write access to images, you won't be able to upload images.
So the list of files/folders to assign to the apache user is:
administrator/cache
cache
logs
tmp
configuration.php
images
All the other files can be owned by the svn user; however you'll need to chmod / chown when you want to update Joomla from the backend, and install new extensions.
An easier approach is to keep only your component under svn (you can checkout only the paths you want with svn easily) and leave the rest to apache.
Finally, consider putting your svn user and Apache in the same user group, and chmod to 775.
I've done this complete differently because this is really a pain, pushing files from a Joomla installation back to a repo. Assuming you're local,
change in /etc/passwd for apache or www-data the shell from bin/sh to bin/bash.
fix the permissions of the home directory (usually /var/www ) for www-data, so that www-data can create its .svn directory. thats done by # chown -hR www-data /var/www
as root change to www-data : # sudo su www-data
go to the joomla installation/folder with the svn meta files
call svn info or whatever, so that it can store the svn credentials in .svn
you're done here, now you can call via php/system svn update in whatever folder
i've written this here www.xappcommander.com also for Joomla for exactly for this purpose which allows you to change code in an active joomla installation push back the changes to a repo without all the pain of the alternatives (sftp/ftp). Through its shell extension, you simply write #svn ci --message="whatever".
this works well also in a live stage, under plesk PHP is running with your user account, so you skip step 1-4.
Related
On our server, I work with another developer. We want to both be able to edit files, make files, etc. We both want to be able to edit each other's files and be in complete collaboration with each other with no permission errors or having to use sudo all the time. We are also using Git. We have had issues in the past with Git making weird database files with the root username or group or only one of us. Then when we try to push to the repository, we get crazy errors and have to chmod everything back to one of us so the author is unified. Just a general mess. We are using a debian server.
Should we make 2 usernames and add them to the www-data group? Is adding us to www-data and having people visit the website secure with that?
Should we then chmod all folders to 755 permission and files to 644?
We want all new files made within /var/www to be in one of our usernames but with the www-data group by default so that we can both edit the file. Is the chmod -R g+rws /var/www enough for this? We want files to be ready as soon as they are made. File permissions set properly by default.
Should we use ACL for this instead of all the chmod stuff?
Is this a good guide to follow?
http://machiine.com/2013/easy-way-to-give-user-permission-to-edit-and-add-files-in-varwww/
Thanks
I wanted to copy my Drupal site to another location (VDS), I got full backup from my provider, (in tar.gz), untarred and ungzipped it, deleted some folders, zipped it again in 7zip format, then copied it with sftp to /var/www on VDS and unzipped, but all permissions now are read-only and so Drupal doesn't work at all cause it cannot acess files.
Can anyone tell when I lost my permissions, the right way to migrate to my VDS or (and) how can I manage with my corrupted-permission Drupal now (maybe I just can change them?)
Read only permission is generally fine for a Drupal site, except for the upload folder (it's nomally called files and in can be in sites/default or in sites/YOUR_SITE_CONFIGURATION_FOLDER or wherever you set it to be in admin/config/media/file-system). The files folder, and every subfolder it contains must be writable from the web server, so if your web server is running as the www-data user (the standard user for Apache in Ubuntu, other systems may differ) you can for example do
chmod -R o+w sites/default/files
chown -R www-data sites/default/files
I've got a LAMP webserver running my homepage (index.html in var/www/). I'd like to know in general how to set my file permissions so that browsers can't access anything besides the html/php files I want to show. Right now I've sort of accidentally chmodded everything to 777. I understand that .htaccess only protects the www folder and inwards... How can I set my permissions so that I have an svn folder that svn can still access but browsers can't?
In security you should follow the paradigm of "Least Privilege Access". It is best to do a chmod 500 -R /var/www chown www-data -R /var/www. This is assuming that your php code is running as www-data, you could run a <?php system('whoami')?> to verify your user account.
A chmod 500 gives the web root read and execute privileges. Write privileges is very dangerous as this is vital for defacing your site. The last number should always be zero, this is global privileges and you don't want any other account/process accessing your webroot.
I just learned to install Apache 2 on my ubuntu linux localhost for the first time. I'm making it work with PHP5.
I noticed that anytime I want to write to a file or directory, I have to chmod 777 the destination.
But from my experience working on 3rd party hosting solutions, I am generally allowed to write to files and dirs that have 755 permissions.
What can I do on my localhost so that I can write to files and dirs with 755 permissions? If the answer to this is very long, can someone send me a link to a step by step guide to do this?
Here are some simple rules for web site content management (under apache) that most people should follow:
All content should be chown'd & chgrp'd to the same user that apache is running as. On new ubuntu installs , the user and group are both "www-data".
If you want to administer the serving files under your own user group, then you should add youself to the www-data group, and make sure that users in this group have read/write access to all the serving files and directories. The caveat here is that you want to make sure not to create new files as your personal account. These should still be owned by www-data. The easiest way to accomplish this is to create the file as yourself, and then chown it to www-data:www-data.
If you do these 2 things, then you should be able to write to files that are being served by apache. I'm not sure where your document root is, but something like this would likely work for most simple installs:
$ sudo usermod $USER -a -G www-data
$ cd /var/www
$ sudo chown -R www-data:www-data .
You probably can't achieve this because the owner of the file is different than the user trying to perform an action on the file.
the permissions are:
owner-group-everyone
rwx-rwx-rwx
i.e. 111 = 7 which allows read/write and execute.
101 = 5 which is just read and execute
you can't write to the file because your logged in user isn't part of the owner/group that has access to the file.
the final 7 (i.e. rwx-rwx-111(7)) means that globally, everyone has read/write access to that file.
how to fix this
In Linux, you can use the chown or chgrp command to achieve your desired results.
First, you will want to find out as which user your PHP code is running. If you are using mod_php5 (package name libapache2-mod-php5) with Apache to run with the "worker" or the "prefork" MPM, this will probably be www-data.
This is no big problem as long as you only run one web application within the server. However, if you run multiple applications (or scripts that are owned by more than one user), you are setting yourself up for all kinds of security-related "fun".
I moved from a shared hosting to a VPS a few weeks ago and I'm having these annoying permission issues with WordPress. You know you can download and upgrade plugins (and wordpress itself) from the admin panel, but since I moved it started asking me my FTP credentials, which is kinda slow when I have to update ~20 plugins.
I think this should be some kind of rights issue. I looked that the shared hosting wordpress files, they all belong to the username and group kovshenin (kovshenin:kovshenin) and the files are -rw-r--r-- and the directories are drwx-r-xr-x.
On my VPS apache runs under apache:apache and my files are kovshenin:kovshenin. What should I do to make them readable and writable by both kovshenin and apache?
Also, I changed the permissions to 0777 for all files and folders of my wordpress installation, that allowed me to install and delete plugins without FTP, but when I pushed to automatic upgrade to WordPress 2.8.1 it still asked me for my FTP account. Is that a wp issue or did I miss something?
Thanks.
Update: I managed to run id and id www-data on the MediaTemple shared hosting. User kovshenin is in group kovshenin, and www-data is in group www-data. No more groups. What's the trick?
Another update Okay, I added the apache user to the kovshenin group, my wordpress files are kovshenin:kovshenin with rw-rw-r-- permissions and drwxrwxr-x permissions on directories, but something is still wrong. The user apache can access the files and folders, I can use the online Themes and Plugins editor in the wordpress admin panel, I'm able to make changes to the .htaccess file from within wordpress, but plugin/theme installation still asks me for FTP credentials!
Any ideas? Thanks.
What should I do to make them readable and writable by both kovshenin and apache?
Create a new group, say "wordpress".
Add both koveshenin and www-data users to the wordpress group.
Change the group owner of all the files to wordpress (using chgrp).
Make sure all the files are group writeable.
Set the g+s (setgid) permission bit on all the directories of interest.
Make sure kovshenin and apache's default umask includes group read & write permission.
The second last step is the trick. It means that whenever kovshenin or apache creates a file in those directories, the group owner will be set to wordpress (instead of kovshenin or apache).
You can give ownership to www-data according to here.
Run the following command in your WordPress directory (sudo required):
sudo chown -Rf www-data *
Works for Apache.
Assuming your wordpress install directory is /var/www/html to mass change all the files and directories to the proper permission use:
sudo find /var/www/html/ -type d -exec chmod 775 {} \;
sudo find /var/www/html/ -type f -exec chmod 664 {} \;
To mass change the owner group of everything use:
sudo chgrp -R <desired_username>.<desired_groupname> /var/www/html
I had the same problem and I solved it turning off PHP 'safe_mode' in plesk, now WP can create folders and move files without any problems.
I hope this help you.
Currently, adding define('FS_METHOD', 'direct'); to wp-config.php might do the trick. Not sure that would have worked in '09 though. See here for my similar case using nginx. I found that it was an essential step.