Story: I deleted a directory LogViewer from the document root that was browseable and working perfectly. Later I decided to add it back but now apache wont show it.
drwxr-xr-x. 12 user group 4096 Jun 19 15:16 272
drwxr-xr-x. 12 user group 4096 Jun 19 15:17 273
drwxr-xr-x. 3 user group 4096 Jun 20 08:06 LogViewer
The 272 and 273 directories are browsable and work.
Output of ls -lZ:
drwxr-xr-x. user group system_u:object_r:httpd_sys_content_t:s0 272
drwxr-xr-x. user group system_u:object_r:httpd_sys_content_t:s0 273
drwxr-xr-x. user group unconfined_u:object_r:user_home_t:s0 LogViewer
What I've Tried:
I have restarted apache multiple times. I've stopped it, and started it. I've refreshed the browser, I've cleared cookies and all temp files.
My Question: Wtf?
As per: SELinux doc
To make a folder viewable from a special user public HTML folder, it
needs to have a type that httpd has permissions to read, presuming the
Apache HTTP Server is configured for UserDir and the Boolean value
httpd_enable_homedirs is enabled.
Try this command:
chcon -R -t httpd_user_content_t LogViewer
Related
Added "youri" to the www-data group
grep youri /etc/group
www-data:x:33:youri
youri:x:1004:
When i upload something with FTP, the file permission is -rw-------
ls -all
total 176
drwxr-xr-x 2 youri youri 4096 feb 25 12:38 .
dr-xr-xr-x 3 youri youri 4096 feb 25 12:08 ..
-rw-r--r-- 1 youri youri 17 feb 25 12:27 index.php
-rw------- 1 youri youri 164655 feb 25 12:24 test.pdf (uploaded with FTP)
The file index.php is created by nano and changed the permissions by sudo chown youri:youri index.php
When i access my website it shows me the index.php but /test.pdf gives me an "Permission denied" error
Your webserver has no permission to read the file.
Normally, an ftp server has a configuration value called "umask" which is a value defining what permissions NOT to grant (the binary inverse of the value you would give to chmod)
For a better security, most ftp servers like vsftp ship with a default umask of 055 or 077
As you can see, your index.php is not executable. Although it technically is just read, semantically the script is being executed by your webserver. And the webserver runs as the user www-data.
To have this work, change the following:
- Make youri's default group www-data: usermod -g www-data youri
- Change /etc/vsftpd.conf and set a umask of 022
- Restart vsftpd
- chmod 755 index.php (or delete it and upload it again)
I'm struggling to understand how to apply directory and file permissions so that files and directories created by the ftp user, via an ftp client, are browsable. In other words 755 is applied by default.
I'm running Apache 2 on Ubuntu 14.04.2 LTS, Trusty Tahr, with vsftpd server.
My directory structure is as follows.
var/www/
var/www/sites/
var/www/sites/master_demo/public_html
var/www/sites/test_site/public_html
I've run the following
usermod -aG www-data test_user
chgrp -R www-data /var/www/sites/test_site/public_html/
chown -R test_site:www-data /var/www/sites/test_site/public_html/
chmod -R 755 /var/www/sites/test_site/public_html/
Permissions on the directories are as follows:
cd var/www/sites/
ls -l
dr-xrws--- 3 master_demo www-data 4096 Jun 17 14:00 master_demo
drwxr-xr-x 3 test_site www-data 4096 Jun 16 13:32 test_site
cd var/www/sites/test_site/
ls -l
drwxr-xr-x 3 test_site www-data 4096 Jun 17 17:43 public_html
When a file is added using ftp by the test_site user these are the permissions
-rw------- 1 test_site test_site 152 Jun 18 08:27 about.html
drwx------ 2 test_site test_site 4096 Jun 18 08:27 css
-rw------- 1 test_site test_site 152 Jun 18 08:27 index.html
How do I get the file to automatically be given the correct permissions so the files are browsable (755)? I know the obvious answer might be to run a batch file, but is that necessary? I don't want to have to run the command everytime.
chmod -R 755 /var/www/sites/test_site/public_html/*
ls -l
-rwxr-xr-x 1 test_site test_site 152 Jun 18 08:27 about.html
drwxr-xr-x 2 test_site test_site 4096 Jun 18 08:27 css
-rwxr-xr-x 1 test_site test_site 152 Jun 18 08:27 index.html
I'm new to linux so please be gentle :)
I can confirm that test_site users is in the www-data group
id test_site
uid=1004(test_site) gid=1005(test_site) groups=1005(test_site),33(www-data)
I think what you are looking for is umask
umask 0022
umask -p
umask -S
You will need to modify your default /etc/profile in order to make this permanent. umask 0022will on creation give directories chmod 755 and files chmod 644 which is the recommended permissions for the www folder in apache.
Example
umask 0022
mkdir www
touch www/{index.html,style.css}
drwxr-xr-x. 2 user user 4096 Jun 18 10:53 .
drwxr-xr-x. 3 user user 4096 Jun 18 10:52 ..
-rw-r--r--. 1 user user 0 Jun 18 10:53 index.html
-rw-r--r--. 1 user user 0 Jun 18 10:53 style.css
FTP also supports setting umask before initiating a transfer. Setting it with ftp, sets if for that transfer only, so that you don't need to change it system-wide as you would with /etc/profile.
I have centos in VMware and hosted a web application.
This is the url I try to access my page. There is also another demo page "demo.php" that I create for test. its fine can access and prints contents: "its ok." but when I try to my app page which in same directory the browser says:
Forbidden
You don't have permission to access /WP/View/Home/localobjects.php on this server.
http://192.168.118.129/WP/View/Home/localobjects.php
How can I fix this?
Files Permissions in directory.
-rw-r--rwx. 1 root root 272 Apr 2 00:49 activedirectoryusers.php
-rw-r--rwx. 1 root root 236 Apr 17 01:22 configuration.php
-rw-r--rwx. 1 root root 324 Mar 30 00:59 dashboard.php
-rw-r--r--. 1 root root 107 Apr 15 08:28 deneme.php
drwxr-xrwx. 2 root root 4096 Apr 17 01:22 Ipageimplementations
-rw-r--rwx. 1 root root 257 Apr 17 00:52 localobjects.php
-rw-r--rwx. 1 root root 224 Mar 28 18:41 policy.php
-rw-r--rwx. 1 root root 257 Apr 13 01:58 timeintervals.php
Here is a cheatsheet…
Directories must have the permissions "drwxr-xr-x".
You set them with chmod 755 [directory name].
Files must have the permissions "-rw-r--r--".
You set them with chmod 644 *php for all the php files in a folder. If you have other files which must be seen on the web (.css, etc.) chmod them accordingly.
To get the "magic numbers" you have three digits:
the first one is for the owner
the second one is for the owner's group
the third is for the rest of the world
Numbers are the sum of:
4: readable
2: writeable
1: executable
In doubt, make a directory at a time: if you give wrong permissions (not executable, like files) to a folder you can't browse it.
I am currently creating an application that requires separate users running duplicate programs. They cannot run under root because of security reasons, so they are initiated by a Java app that I am working on, and I am starting them with runuser -l. However, I cannot cd into a directory, even though it is owned by the user, and the user has 770 permissions in the folder.
Here's what I'm running:
runuser -l lp1 -c 'java \-jar /root/Desktop/workspace/LitePanel/servers/server1/server.jar \-Xms1024M nogui'
And the output of this is:
runuser: warning: cannot change directory to /root/Desktop/workspace/LitePanel/bin/servers/server1/: Permission denied
Here's an ls -all:
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 .
drwxr-xr-x. 7 root root 4096 Jan 30 14:02 ..
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 server1
Inside the directory:
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 .
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 ..
-rwxrwx---. 1 lp1 lp1 9170551 Jan 31 03:07 server.jar
And here's /etc/passwd:
lp1:x:501:501::/root/Desktop/workspace/LitePanel/bin/servers/server1/:/bin/false
Anyone know why this is happening? It looks like the user has the necessary permissions to do this.
You have said that the directory itself has permissions 770 and is owned by the user, but what about its parents? I believe the cd command will need at least read access (and possibly execute) on the parent directories.
I am trying to setup my webserver so that one group will have access to the files. Apache and every user that needs to edit the files will be part of this group. So I've set all the files to have the group psacln. I've added psacln to my groups. But it still won't let me view the files:
[tom#166 httpdocs]$ whoami
tom
[tom#166 httpdocs]$ groups tom
tom : tom adm wheel apache psacln andy
[tom#166 httpdocs]$ ls -al
ls: .: Permission denied
[tom#166 httpdocs]$ sudo ls -al
total 92
d---rwx--- 14 andy psacln 4096 Jul 22 17:51 .
drwxrwxr-x 16 apache apache 4096 Jul 21 09:29 ..
d---rwx--- 4 andy psacln 4096 Jul 21 09:26 backend
d---rwx--- 3 andy psacln 4096 Jul 22 15:21 core
d---rwx--- 5 andy psacln 4096 Jul 21 09:26 css
...
One thing that may be useful to note, is that when you change a user's group membership, you will have to log out and back in again (i.e. group memberships will take effect when you log in and don't normally change otherwise).
You can either log in and out to let the group change take effect, or changing your "active" group with the newgrp command will also do this for you.