System user permissions for Apache2 files - linux

How to make normal system user permissible for all files created by apache?
I set the www-data group as primiary group for user, but this still doesnt work :/
Created directory (by www-data) have 755 chmods, files have 644.
I dont want to change directories/files permissions every time I want to do something by the user.

Related

SSH Change ownership of public_html

The default ownership for public_html was myusername:nobody
drwxr-xr--. 18 myusername nobody 4096 Jun 1 16:06 public_html/
I changed this to myusername:myusername since I need to access a file inside public_html using the following command
# chown myusername:myusername public_html
It worked and ownership changed.
Now I'm not able to change the ownership back to myusername:nobody. I'm using this command
chown livegiftcard:nobody public_html
and it gives me the error
chown: changing ownership of âpublic_htmlâ: Operation not permitted
I have also tested this with sudo and also chgrp but no luck.
Also I could not run my website. Browser gives me the following error.
Forbidden
You don't have permission to access / on this server. Server unable to
read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to
use an ErrorDocument to handle the request
Problem:
The apache/nginx has a user, who needs to read the files in the Docroot. Default user and group is: www-data:www-data. I'm not user if this is correct in your case.
Now the files are owned by myusername:myusername and the apache/nginx user is probably not in the the group "myusername". So if you have some knowledge about the permission system of linux, the webserver user have only the rights everybody have (third column). When the group was set to nobody, the files weren't owned by any group and every user can act under the group permissions. In your case I guess the group can read all files and all other can't.
What you can do:
Give all others the right to read the files with
chmod -R o+r public_html
Now everybody, including the webserver user can read the files and you will not get the 403 error. -R is for recursive, so every file and directory under public_html will get the readable flag too.
Another thing is to add the webserver user to the group "myusername" so the webserveruser can use the group permissions too.
The third and last possibility which came to my mind is to change the group to "nogroup" instead of "nobody" because nobody is the user and nogroup the group.

How can I make apache read&write to a user's directory without setting a 777 permision

I setup a virtualhost for Apache server on Linux, set the document root to /home/someuser/www
Now the permission of /home/someuser/www is default, the problem is Apache can not write to /home/someuser/www
Is there a way to make sure Apache has ability to read&write to /home/someuser/www, I do not want to set www/ as 777.
At the moment, there is a folder named cache/ in www/, when apache generate cache files in cache/ folder, I want to use my user to make change to www/cache/*.
Thanks.
Add the www-data to your user group. As root, replace <groupname> by the user group name:
usermod -a -G <groupname> www-data
Allow the group to read/write in the folder and setgid:
chmod -R g+rws /home/someuser/www

File read permissions for 'others' not working

I'm trying to give read permissions to lighttpd access logfiles to normal users which are on the same system.
The permissions are currently:
-rw-r--r-- 1 www-data www-data 211K Feb 28 11:27 /var/log/lighttpd/access.log
So, if I understood correctly others have read permissions. Unfortunately this doesn't seem to work. If I try to read this file with an user account I get:
/var/log/lighttpd/access.log: Permission denied
I already tried to add the user to the group www-data which didn't work as well.
Any hints what I'm doing wrong here?
To access a file, the system needs the execute permission on all the directories containing the file.
In this case it was necessary to issue the chmod o+x /var/log/lighthttps command (after making sure that the user belongs to the "other" part of the permission set).
The "execute" permission for a directory allows you to enter it. The "read" permission for the directory allows you to see the names of the files inside. The interesting thing is that you can give the x permission alone, what means that anyone can access the files inside, but he needs to know its names.
You might not have execute permission for the lighthttpd so the directory does not give the permission to access its containing file.
Use the command to set the execute permission to that directory.
chmod +x /var/log/lighthttpd

How make /var/www contents editable by IDE

I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.

problem with ftp pushing files and me not having access as regular user

I've run visudo and added my username to the list to be able to do whatever I need to rather than logging in as root user.
I have my svn push out file's through ftp as user www-data, and therefore when I try to cd into those directories, I get permission denied.
Any thoughts? Can I add my username to some config file somewhere to have access to all files?
When you use sudo, you are running as the root user, but only for that particular command. I think the easiest thing to do would be to ensure that you and www-data are in the same group, and set the group permissions accordingly. (e.g., chmod 775 yourdir)

Resources