Linux permissions issue - linux

I'm trying to use Jenkins to deploy to a custom workspace but am having permissions issues. The custom workspace folder is /var/www/workspace which is owned by www-data and in the www-data group as normal. I have added my jenkins user to the www-data group and the folder has writable permissions on user and group level. When I run the Jenkins build it fails because it doesn't have permission to clone into the folder. The only thing I can think of that may be stopping this from happening is the fact that the var folder is owned by root even though www and all folder below this are owned by www-data
Any advice appreciated.

Do one thing, go to /var/www/ and type the following command and paste output:
ll

Responding to your comment, to change the owner and group of /var/www/workspace and all files under it you can use:
chown -R jenkins:www-data /var/www/workspace

In the end I changed the user that Jenkins is running as from Jenkins to www-data. Probably not the ideal way to do things but as this is on a non public facing server it suits my purpose. Now when a build has completed I get Jenkins to run a couple of chmod commands to make sure file permissions are correct and the files are already in the www-data group so all works nicely.

Related

Linux AWS EC2 Permissions with rsync

I am running a default t2.nano ec2 linux ami. Nothing is changed on it. I am trying to rsync my local changes to the server. There is a permissions issue that I don't know enough about to fix.
My structure is as follows. I'm trying to push my work to the technology directory. The technology directory is mapped to a staging domain. i.e. technology.staging.com
:/var/www/html/technology
this is from the root, and it does work fine, it's the rsync that is failing.
when I push locally to that directory I get a "failed: Permission denied (13)" error.
I'm running an nginx server and assigned permissions to the www directory as follows:
sudo chown -R nginx:nginx /var/www
My user is ec2-user which is the normal default. Here is where I am tripped up. You can see the var directory is given root access.
You can see that the www directory then has permissions set to nginx so our server can access the files. I believe I need to add the ec2-user to this directory as well as the nginx user so that I can rsync my files there and the server will still have access I'm just unsure of how to do that.
As a test, I created a test directory at this location and it worked successfully.
:/home/ec2-user/test
you can see the permission here are set for the ec2-user which is why it works i'm sure.
Here's the command I'm running on my local machine to rsync my files which fails.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/var/www/html/technology
Here's the command that was working.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/home/ec2-user/test
I have done enough research and testing to know that it's a permissions error, I just can't figure out the right way to solve it. Do I need to create a group and assign both the nginx and ec2-user to the group and then give that group the same permissions level on the :/var directory.
Side note, what permissions level do I set for the chown to make these permissions that are currently set?
I have server config files in the :/etc/nginx/conf.d/ directory that map to the directories I create inside of :/var/www/html directory so I can have multiple sites hosted on the server.
So in this example, I have a config file at :/etc/nginx/conf.d/technology.conf which maps to the directory at :/var/www/html/technology
Thank you in advance, again, I do feel like I have put forth the research and effort to show that I've gone as far as I know how to do.
The answer made sense after I spent roughly a day playing around. You have to give access to both the ec2-user and the nginx group. I believe you never want to put a user in a group that involves the server itself, I think things would go south.
After changing the owner to both the ec2-user and nginx group, it still didn't work exactly the way I wanted it to. The reason was, I needed the nginx permissions to be updated to what they had when they were assigned the user role.
Basically, theec2-user had write permissions and the server did not. we wanted the user to have write permissions so they could rsync my local files to the directory on the server, and the nginx group needed the same level of permissions to display the pages. Now that I think about it, the nginx group may have only needed read permissions to display things, but this at least solved the problem for now.
Here is the command I ran on the server to update the ownership and the permissions, as well as the output.
modify ownership
sudo chown -R ec2-user:nginx :/var/www/html/technology
modify permissions
sudo chmod -R o=rwx,g+rwx,o-w technology
The end result looks like this
You can see the permissions match, and the ownership is as we expected. The only thing I have to figure out is after I rsync new files to the server, I need to run the previous code to update the permissions again. I'm sure that will come to me later, but I hope this helps anyone in the same situation.

Ubuntu / NGINX - Can't change ownership or permissions of certain directories and files

I have some folders on a ubuntu server running Nginx with the following permissions & groups:
drwxr-xr-x 3 www-data www-data some_folder
I am trying to delete these within a deployment script, as a user called deploy. This user is in the www-data group.
I know that to delete these folders, I need group write permissions (which I currently don't), however the deploy user doesn't have the permissions to set this. I've tried chmod 775 some_folder and also setting the deploy user as the owner with chown deploy some_folder, but I always get this error:
chown: changing ownership/permissions of 'some_folder/': Operation not permitted
How can I delete these folders without using sudo?
Thanks in advance for any help

Permissions to delete generated files from another user in linux (gitlab-runner)

Im using gitlab-runner to deploy my php application to nginx web server.
To deploy im using this steps:
1. delete all files in folder /var/www/site
2. move files from gitlab repository to /var/www/site
All these actions are performed only after pushing to repository new changes.
I have a problem. Files that copied to /var/www/site owned by gitlab-runner.
After uploading file from post form, files owned by www-data (nginx user).
After next push, gitlab cant deploy because it's failed on first step. user gitlab-runner hasn't right to delete www-data files.
I cant change nginx user to gitlab-runner for a reason, and i don't know how to change gitlab-runner to another user.
Anyone can help me?
You can use the command chown to change the owner of a file.
chmod uu:gg will set the owner of the file to uu and the group to gg.
You can change permissions of a file with chmod command.
chmod g+w will give write access to file to users of the group of
With this commands you should be able to set the group of the files to a group compatible with git-lab (check initial group of files with ls -l command)

Newly created folder permission rights issue

Hope you are good. I have Xammp on fedora and changed owner of opp/lampp/htdoc to root. Why I did so because whenever someone creates new folder through sharing, they don't have permission to dynamically create folder or files or to write images. Then I run command
chmod -R 777 /opt/lampp/htdocs
But when system goes to restart then I again need to run this command. So avoid again and again run this command I changed the owner on "opt/lampp/htdocs" and run
chmod -R 777 /opt/lampp/htdocs
Now, whenever server restarts, assigned permissions don't need to be set again and again. That is resolved.
I have an issue, that old directories can be used to write something. But if any network user creates new directory under htdocs, that new directory needs to be changed the permission for it.
previously created, and can use this one directory to run script to create files
drwxrwxrwx 2 root root 4096 2011-06-15 14:09 aaa
Newly created, cannot be used to run a script to create image or to write anything
drwxr-xr-x 2 root root 4096 2011-06-17 15:17 aaaa
drwxr-xr-x this one is really annoying to me for each newly created folder in htdocs :(
Just to let you know that my htdocs user and rights are:
drwxrwxrwx 101 root root 4096 2011-06-17 15:17 htdocs
Why is it so? Can anybody please help me to figure this problem out? I am waiting for quick response anxiously.
First off, you should investigate what permissions you really need - chmodding everything to 777 is a security risk as it will allow any user to write inside of your web root.
However, to address your actual question of the default permissions when a new folder is created by a user, you want to adjust the default "umask" which determines such things.
This question has some information for changing it for the Apache user (if a "network user" is a user creating new files and directories through the httpd process):
Setting the umask of the Apache user
If you need to adjust it for other users or processes, the solution will be similar.
Good luck!
Edit
Since you're on Fedora, try this: (from the question I linked above)
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart
The first command will add that line to the /etc/sysconfig/httpd which is a permanent configuration file, and the second command will make it active.
You are tackling the problem from the wrong side. Restore your apache configuration to use apache.apache as default user/group, and set your samba server to use those credentials when someone write to your document root.
If you are using nfs or another posix compatible filesystem, use chmod g+s to keep all files readable from your apache server.
Try it:
#umask 000
have a good time!!

Apache Webserver - How to write to dir/files with permissions set at 755 instead of 777

I just learned to install Apache 2 on my ubuntu linux localhost for the first time. I'm making it work with PHP5.
I noticed that anytime I want to write to a file or directory, I have to chmod 777 the destination.
But from my experience working on 3rd party hosting solutions, I am generally allowed to write to files and dirs that have 755 permissions.
What can I do on my localhost so that I can write to files and dirs with 755 permissions? If the answer to this is very long, can someone send me a link to a step by step guide to do this?
Here are some simple rules for web site content management (under apache) that most people should follow:
All content should be chown'd & chgrp'd to the same user that apache is running as. On new ubuntu installs , the user and group are both "www-data".
If you want to administer the serving files under your own user group, then you should add youself to the www-data group, and make sure that users in this group have read/write access to all the serving files and directories. The caveat here is that you want to make sure not to create new files as your personal account. These should still be owned by www-data. The easiest way to accomplish this is to create the file as yourself, and then chown it to www-data:www-data.
If you do these 2 things, then you should be able to write to files that are being served by apache. I'm not sure where your document root is, but something like this would likely work for most simple installs:
$ sudo usermod $USER -a -G www-data
$ cd /var/www
$ sudo chown -R www-data:www-data .
You probably can't achieve this because the owner of the file is different than the user trying to perform an action on the file.
the permissions are:
owner-group-everyone
rwx-rwx-rwx
i.e. 111 = 7 which allows read/write and execute.
101 = 5 which is just read and execute
you can't write to the file because your logged in user isn't part of the owner/group that has access to the file.
the final 7 (i.e. rwx-rwx-111(7)) means that globally, everyone has read/write access to that file.
how to fix this
In Linux, you can use the chown or chgrp command to achieve your desired results.
First, you will want to find out as which user your PHP code is running. If you are using mod_php5 (package name libapache2-mod-php5) with Apache to run with the "worker" or the "prefork" MPM, this will probably be www-data.
This is no big problem as long as you only run one web application within the server. However, if you run multiple applications (or scripts that are owned by more than one user), you are setting yourself up for all kinds of security-related "fun".

Resources