I am using an Alias directory to use a content management system for multiple websites. It's like an application pool in IIS (for the Windows guys here).
While every website has its own user (I am using a VDS with DirectAdmin), and the CMS also has of course its own user, I now have permission issues because the CMS user needs read permissions in every website (= homedir).
How do I do that?
My situation:
/home/myapp/cms with user 'myapp' <- is attached to every website by an Alias directive
/home/site1/public_html with user 'site1'
/home/site2/public_html with user 'site2'
I have tried chmod o+rX /home/myapp/cms, but that didn't do the trick. Also chown is no solution, because it can handle only one single user.
Update: To illustrate this better, my site is showing the following error:
Warning: require(/home/site1/public_html/includes/config.php) [function.require]: failed to open stream: Permission denied in /home/myapp/cms/index.php on line 2
What means the 'shared application' hasn't have the sufficient right.
In this case I have also have done
chmod o+rwX /home/site1/public_html/includes/config.php
Of course 'myapp' and 'site1' is different in the real case. This is just an simplification.
You probably need to change the permissions of the files inside /home/myapp/cms too. e.g. chmod -R o+rX /home/myapp/cms
Related
I am running a default t2.nano ec2 linux ami. Nothing is changed on it. I am trying to rsync my local changes to the server. There is a permissions issue that I don't know enough about to fix.
My structure is as follows. I'm trying to push my work to the technology directory. The technology directory is mapped to a staging domain. i.e. technology.staging.com
:/var/www/html/technology
this is from the root, and it does work fine, it's the rsync that is failing.
when I push locally to that directory I get a "failed: Permission denied (13)" error.
I'm running an nginx server and assigned permissions to the www directory as follows:
sudo chown -R nginx:nginx /var/www
My user is ec2-user which is the normal default. Here is where I am tripped up. You can see the var directory is given root access.
You can see that the www directory then has permissions set to nginx so our server can access the files. I believe I need to add the ec2-user to this directory as well as the nginx user so that I can rsync my files there and the server will still have access I'm just unsure of how to do that.
As a test, I created a test directory at this location and it worked successfully.
:/home/ec2-user/test
you can see the permission here are set for the ec2-user which is why it works i'm sure.
Here's the command I'm running on my local machine to rsync my files which fails.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/var/www/html/technology
Here's the command that was working.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/home/ec2-user/test
I have done enough research and testing to know that it's a permissions error, I just can't figure out the right way to solve it. Do I need to create a group and assign both the nginx and ec2-user to the group and then give that group the same permissions level on the :/var directory.
Side note, what permissions level do I set for the chown to make these permissions that are currently set?
I have server config files in the :/etc/nginx/conf.d/ directory that map to the directories I create inside of :/var/www/html directory so I can have multiple sites hosted on the server.
So in this example, I have a config file at :/etc/nginx/conf.d/technology.conf which maps to the directory at :/var/www/html/technology
Thank you in advance, again, I do feel like I have put forth the research and effort to show that I've gone as far as I know how to do.
The answer made sense after I spent roughly a day playing around. You have to give access to both the ec2-user and the nginx group. I believe you never want to put a user in a group that involves the server itself, I think things would go south.
After changing the owner to both the ec2-user and nginx group, it still didn't work exactly the way I wanted it to. The reason was, I needed the nginx permissions to be updated to what they had when they were assigned the user role.
Basically, theec2-user had write permissions and the server did not. we wanted the user to have write permissions so they could rsync my local files to the directory on the server, and the nginx group needed the same level of permissions to display the pages. Now that I think about it, the nginx group may have only needed read permissions to display things, but this at least solved the problem for now.
Here is the command I ran on the server to update the ownership and the permissions, as well as the output.
modify ownership
sudo chown -R ec2-user:nginx :/var/www/html/technology
modify permissions
sudo chmod -R o=rwx,g+rwx,o-w technology
The end result looks like this
You can see the permissions match, and the ownership is as we expected. The only thing I have to figure out is after I rsync new files to the server, I need to run the previous code to update the permissions again. I'm sure that will come to me later, but I hope this helps anyone in the same situation.
I understand this has most likely been answered but for the life of me cannot figure it out.
What is the problem?
I'm running an nginx server and have the user "www-data" own the web server directory and all of it's contents. I run wordpress so it is important that www-data keeps ownership as if it does not, the wordpress UI will not be able to edit files. I also like to use SFTP but have disabled login for any other user besides my own. Currently, when I want to use FTP to edit files, I have to chown the wp-content directory temporarily to my personal user and then re-chown the directory back to the www-data user when finished.
What is the intended outcome?
Ideally, I'd like to configure the file permissions so that I may edit files within this directory without having to chown between users everytime. Is this possible or would I be better off setting my personal user as a root user?
What have you tried?
I've tried chown-ing the directory to a group that both www-data and my user are in. Example being:
chown -R :www-data /path/to/dir/wp-content/*
Where "www-data" is both the name of the web user, AND the name of a group that contains both users: myuser & www-data. Even after doing so, myuser is not able to edit the files within this directory.
If anyone would be kind enough to educate a fool (me) or refer to myself a proper resource, I'd be very grateful! Thanks for your time :)
You should have a user that has associated group, named after that user. So you can do the following:
sudo chgrp -R YOUR_USER_NAME YOUR_FOLDER
this should change owinging group for the data in your folder and that owning group will be your user's group
Then change the privilige for the group using:
chmod -R g+w YOUR_FOLDER
There's already an answer, but I figure I'll give a detailed one anyway, for everyone's sake :)
I'm running an nginx server and have the user "www-data" own the web server directory and all of it's contents
You see where it fails from the beginning, is that any sensitive files can be served by NGINX, unless denied in specifically in configuration, simply because it owns it. It's not good because it won't use chmod permission model as a way to control what NGINX can serve and what it cannot.
There is only one setup that is secure and proper, and I detail it here.
Specifically, each website must have its own PHP-FPM pool, which runs by a website-specific user.
The webserver user (e.g. www-data or nginx) is the member of all website's usergroups, e.g. nginx is member of wordpress usergroup.
This allows to simply have 0750 (dirs) and 0640 (files) permissions, and have no issues at all.
On our server, I work with another developer. We want to both be able to edit files, make files, etc. We both want to be able to edit each other's files and be in complete collaboration with each other with no permission errors or having to use sudo all the time. We are also using Git. We have had issues in the past with Git making weird database files with the root username or group or only one of us. Then when we try to push to the repository, we get crazy errors and have to chmod everything back to one of us so the author is unified. Just a general mess. We are using a debian server.
Should we make 2 usernames and add them to the www-data group? Is adding us to www-data and having people visit the website secure with that?
Should we then chmod all folders to 755 permission and files to 644?
We want all new files made within /var/www to be in one of our usernames but with the www-data group by default so that we can both edit the file. Is the chmod -R g+rws /var/www enough for this? We want files to be ready as soon as they are made. File permissions set properly by default.
Should we use ACL for this instead of all the chmod stuff?
Is this a good guide to follow?
http://machiine.com/2013/easy-way-to-give-user-permission-to-edit-and-add-files-in-varwww/
Thanks
When I am trying to use Gii Controller Generator I get:
file_put_contents(.../gii-1.1.14/ControllerCode.php): failed to open stream: Permission denied
I have created a Yii demo project as a root so I recursively changed yiidemo(project's folder) owner and group to 'web-data'. I left permissions unchanged. This didn't help.
Then I have recursively changed permissions inside this folder to 777. All worked.
I've tried different combinations(eg. dir/file: 755/644) for directories/files but none worked. I know that 777 is not the best solution. How do I find the optimal working permissions combination for this case?
when using Gii it creates new files in protected directory. In other words php and apache needs to write in your protected dir.
By default, for security reasons, Gii is configured to be accessible only on development (localhost). Therefore, it should only be installed on a development machine. Because it can generate new PHP script files in the application, we should pay sufficient attention to its security measures (e.g. password, IP filters).
If you want to make it accessible on other trustable computers, you can configure the Gii Module like .
return array(
......
'modules'=>array(
'gii'=>array(
'class'=>'system.gii.GiiModule',
'password'=>'pick up a password here',
// 'ipFilters'=>array(...a list of IPs...),
// 'newFileMode'=>0666,
// 'newDirMode'=>0777,
),
),
);
Because Gii may generate and save new code files in the existing
application, we need to make sure that the Web server process has the
proper permission to do so. The above GiiModule::newFileMode and
GiiModule::newDirMode properties control how the new files and
directories should be generated.
for permission you can change your protected owner:group using:
$ sudo chown yourUserName:www-data path/to/protected
$ sudo chmod 775 path/to/protected -R
read more about gii here
I just learned to install Apache 2 on my ubuntu linux localhost for the first time. I'm making it work with PHP5.
I noticed that anytime I want to write to a file or directory, I have to chmod 777 the destination.
But from my experience working on 3rd party hosting solutions, I am generally allowed to write to files and dirs that have 755 permissions.
What can I do on my localhost so that I can write to files and dirs with 755 permissions? If the answer to this is very long, can someone send me a link to a step by step guide to do this?
Here are some simple rules for web site content management (under apache) that most people should follow:
All content should be chown'd & chgrp'd to the same user that apache is running as. On new ubuntu installs , the user and group are both "www-data".
If you want to administer the serving files under your own user group, then you should add youself to the www-data group, and make sure that users in this group have read/write access to all the serving files and directories. The caveat here is that you want to make sure not to create new files as your personal account. These should still be owned by www-data. The easiest way to accomplish this is to create the file as yourself, and then chown it to www-data:www-data.
If you do these 2 things, then you should be able to write to files that are being served by apache. I'm not sure where your document root is, but something like this would likely work for most simple installs:
$ sudo usermod $USER -a -G www-data
$ cd /var/www
$ sudo chown -R www-data:www-data .
You probably can't achieve this because the owner of the file is different than the user trying to perform an action on the file.
the permissions are:
owner-group-everyone
rwx-rwx-rwx
i.e. 111 = 7 which allows read/write and execute.
101 = 5 which is just read and execute
you can't write to the file because your logged in user isn't part of the owner/group that has access to the file.
the final 7 (i.e. rwx-rwx-111(7)) means that globally, everyone has read/write access to that file.
how to fix this
In Linux, you can use the chown or chgrp command to achieve your desired results.
First, you will want to find out as which user your PHP code is running. If you are using mod_php5 (package name libapache2-mod-php5) with Apache to run with the "worker" or the "prefork" MPM, this will probably be www-data.
This is no big problem as long as you only run one web application within the server. However, if you run multiple applications (or scripts that are owned by more than one user), you are setting yourself up for all kinds of security-related "fun".