I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.
Related
I have a new OpenCart website. I and 2 different programmers with 3 separate logins need to edit the same OpenCart file base in the group www-data. I have set the permissions using the instructions below. But these instructions do not account for the 3 different users having permission to edit the files. Do I need to make all the users members of the www-data group?
Any help is much appreciated.
//change user and group
chown -R wyattjackson:www-data
//folds
find /path/to/opencart/root -type d -exec chmod 755 {} +
//files
find /path/to/opencart/root -type f -exec chmod 744 {} +
chmod 775 image
chmod 775 system/storage
First, to ensure that the apache user creates files that are group writeable, you can change the default umask of the apache user by adding the following to either /etc/apache2/envvars (Debian/Ubuntu) or /etc/sysconfig/httpd (CentOS/Red Hat):
umask 002
Now you can either simply add everyone to the www-data group or…
Create a new group
Add everyone (including www-data) to it
Set the group ownership of the docroot to the newly created group
Set the setgid bit on the directory so that all files will inherit it's group: chmod g+s /path/to/opencart/root
The benefit of the second, slightly more complex approach is that you aren't opening up all of the files created by www-data to anyone in that group, thereby giving you a bit more granular control over your server permissions.
I would like to share a folder called 'files' with user1 and user2 in my Linux account. Is there a way to set the authorizations to read write or execute for only these two users and keep it secure from other users?
To my knowledge, it is only possible to do this for a usergroup as a whole.
Thank you
If your Linux has a "modern" filesystem (ext3/ext4,... )you can achieve this with POSIX ACLs:
Enable ACLs for the FS. --> only required for ext3 and ext4 on kernels older than 2.6.38. All other FS with ACL-support have them automatically activated.
mount -o remount,acl /
tune2fs -o acl /dev/<partition>
Give user1 access to the folder files: (r/w/x)
setfacl -m user:user1:rwx /home/philipovic/files
Give user2 access to the folder files: (r/w/x)
setfacl -m user:user2:rwx /home/philipovic/files
If your linux does not support ACLs you have to create a group:
Create a group
Add the desired users to that group
chgrp the directory to that group, and give permissions with chmod:
chgrp groupname /home/philipovic/files
chmod g+rwx /home/philipovic/files
note: in the above examples we are using r/w/x permissions and therefore giving the users/group FULL controll! don't forgett to change them to the desired permission.
I was wondering if anyone could explain a bit on Linux permissions for me. I have two groups
Group A - Normal Users
Group B - File Changing group
I want group B to be pretty much exactly the same as group A other than group B are able to change 'message of the day' how could I set it so they have write access to MOTD and group A only have read access?
With ordinary UNIX u-g-o permissions, you can only assign a single UNIX group to any given file. In your case, since "normal users" presumably means "all users", you could just chmod the MOTD file to 664 (group read-write, all read-only), and chown it to root:file_changers (file owned by root, and assigned to the file_changers group).
With Linux ACLs, you can assign multiple groups to a file. Not all filesystems support ACLs. You can use setfacl to alter the permissions:
setfacl -m g:regular:r motd
setfacl -m g:file_changers:rw motd
Note that, in my opinion, ACLs can often be overkill. They can make permission management a hassle if you aren't prepared for them. Consider carefully if you need them; otherwise, stick to the simpler UNIX permission system.
Solution without ACL:s:
You can move the motd file in a directory that is readable by group A and make the file writable by group B. Then place a symlink in place from the original location to the new location.
Example (assuming motd is in /etc/motd):
# mkdir /etc/motd-dir
# mv /etc/motd /etc/motd-dir/
# chown groupA /etc/motd-dir
# chown groupB /etc/motd-dir/motd
# chmod 750 /etc/motd-dir
# chmod 664 /etc/motd-dir/motd
# ln -s /etc/motd-dir/motd /etc/motd
This solution requires that all members of group B must also belong to group A so they can access the directory.
I'm working on BOINC project.
I have two users: boincadm and www-data (for apache).
Both belong to group boinc
www-data : boinc www-data boincadm
boincadm : boinc adm dialout fax cdrom floppy tape audio dip www-data video plugdev netdev bluetooth lpadmin fuse scanner sambashare subversion
I have a boinc project created in /home/boincadm/projects/myproject/
All files and folders there are owned by boincadm : boinc and have rwxrwx--- permissions.
The problem is that www-data user can not access to files, which causes multiple errors like:
Warning: require_once(../inc/db.inc): failed to open stream: Permission denied in /home/boincadm/projects/myproject/html/user/index.php
Fatal error: require_once(): Failed opening required '../inc/db.inc' (include_path='.:/usr/share/php:/usr/share/pear') in /home/boincadm/projects/myproject/html/user/index.php
or just
Can't access the file XXX
in logs..
IF I change grant rwx to "others" (777) it works..
My question is, why don't the group permissions work as I expect? Any ideas?
I'm not an expert in linux, thus I could miss something.
Here is a possibility:
www-data has primary group www-data; the rest are supplementary groups.
The server process has the right user (by setresuid or similar) and primary group (by setresgid or similar), but lacks the other supplementary groups (without initgroups or similar).
If this is the case, you have a few options: change the file ownership to the primary group, change the group the server runs as, or fix the server to include all supplementary groups.
Here is how I solved it:
First of all I read this:
link
At some point this article mentioned file /etc/group whe information about groups is stored.
I opened this file and mentioned that inspite of my previous actions there is no www-data in group boinc. And no www-data in group boincadm and the opposite. That is strange!
Strange because I've added these users to group boinc using usermod command and made sure this group is primary for both.
Moreover command groups <username> showed that they are in group boinc.
So now the question is: Why this happened?
The problem was solved by modifying 3 lines:
boinc:x:1111:boincadm, www-data
boincadm:x:1112:boincadm, www-data
www-data:x:1113:www-data, boincadm
I needed all 3 lines to make it work. Hope it helps somebody. And I still would like to understand why the file /etc/group was not modified automatically when using usermod. And why grops shows correct result if so.
I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,
chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.
You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--
Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.