I'm locking down some permissions, and now nginx has trouble seeing my site
Background:
I deploy & run CLI using the mysite user.
I want both mysite and www-data to have access to the site's folder
mysite and www-data users
both belong to the www-data groups:
root#dev:~# groups mysite
mysite : mysite www-data
root#dev:~#
root#dev:~# groups www-data
www-data : www-data
The folder (has group permissions)
drwxrwx--- 3 mysite www-data 4096 Jun 26 14:12 sites/
www-data trying to get to it:
root#dev:~# sudo -u www-data stat /home/mysite/sites/
stat: cannot stat ‘/home/mysite/sites/’: Permission denied
www-data can see the parent folders fine:
root#dev:~# sudo -u www-data stat /home/
File: ‘/home/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1179649 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-10-19 10:59:05.845267219 -0400
Modify: 2016-06-26 14:12:24.890310000 -0400
Change: 2016-06-26 14:12:24.890310000 -0400
Birth: -
root#dev:~# sudo -u www-data stat /home/mysite/
File: ‘/home/mysite/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1180062 Links: 10
Access: (0770/drwxrwx---) Uid: ( 1000/ mysite) Gid: ( 1000/ mysite)
Access: 2016-10-19 10:59:10.081267219 -0400
Modify: 2016-10-19 10:35:01.221267219 -0400
Change: 2016-10-19 10:35:01.221267219 -0400
Birth: -
I've also checked to see if SELinux was messing with it
root#dev:~# setenforce 0
setenforce: SELinux is disabled
I've also tried:
chown www-data:www-data /home/mysite/sites/
Update 10/19/2016:
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
Any web server requires executable permissions (but not read) to all parent directories that contain the site. Setting an ACL on the home directory like that works.
You also could have changed the group of /home/mysite to www-data and locked down permissions of that directory to 710.
Another solution would have been to move the sites directory someplace less restricted than a home directory, like /var/www, but keep the existing locked down permissions on the sites directory.
I likely would have gone with your solution, or moving the site to /var/www
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
Related
I have a container which is using shared volume with host. I want to give it a full permissions. At present, it is:
ls -l
drwxr-xr-x 8 user user 4096 Aug 9 04:47 Data
But I want it to be:
ls -l
drwxrwxrwx 8 user user 4096 Aug 9 04:47 Data
I have a below deployment file:
----
----
spec:
containers:
- name: logger
image: logger_image
volumeMounts:
- mountPath: /Data
name: Data-files
securityContext:
privileged: true
volumes:
- name: Data-files
hostPath:
path: /home/user/Documents/Data
----
----
I have even set it as privileged but still, the volumes do not have full permissions. What should I add in deployment file to make the volume full permissions?
Thanks
Your permissions on /home/user/ or /home/user/Documents/ folders don't allow the process' owner (of logger_image) to access the folder and write.
Try to create /Data (on your root) and set the proper permissions.
I resolved this issue by mentioning the appropriate commands to give full permissions to that directory in the Dockerfile itself.
In the dockerfile:
RUN mkdir -p /Data
RUN chmod 777 -R Data/
and then later used the same kubernetes deployment file and it worked fine with full permissions.
Thanks
Setup:
Websites are setup as users in /home/
Website users restricted to home directories as /home/websiteuser/ is
owned by root
Website users are part of the websites group
www-data is part of the websites group
Virtual host points to: /home/websiteuser/html/
/home/websiteuser/html/ is set to -R 755
Files inside /html/ are owned by websiteuser:websites
Website user is used to access website via sftp
Everything works great except apache requires us to recursively chmod 777 the /home/websiteuser/html/files/ directory or images won’t display and the CMS can’t write it’s mysql backups.
The website user owns the files so the sftp access works but do I have to make www-data own the files - or is there a way where sftp login works and apache can still have access as well?
We've seen many questions around this but don’t understand the answers sorry - any help would be much appreciated.
Cheers
We've solved this by making a "websites" group and adding the apache user (www-data) to this group like this (must be done as root - switch to root with $ su root or use sudo in front of the commands like this $ sudo useradd username:
Add a new group - this will be the name of the group used for all websites:
$ addgroup websites
List groups to check it was created
$ getent websites
Add the apache user to the websites-group so apache has access to run the websites
$ usermod -G websites www-data
Check www-data is part of the websites-group:
$ grep '^ websites' /etc/group
Add a new website user (this will be the user used to run the website)
$ useradd username
Give the user a password
$ passwd username
Follow the prompts to add a password
Add website user to websites group
$ usermod -G websites username
Create a new directory for the user to serve websites from:
$ mkdir /home/username
The owner of the website directory must be root or sftp will fail
Make root the owner and group of website user’s home directory:
$ chown root:websites /home/username
Give website user limited access to their home directory:
$ chmod 750 /home/username
Move into the website user’s directory:
$ cd /home/username
Make a web root directory (this is the opublic directory where the website's files will live):
$ mkdir html
Give website user owner:group on web root:
$ chown username:websites html
Change permissions on the html directory:
$ chmod 750 html
Copy all the website's files into the html directory
Recursively set ownership on all files within the web-root
$ chown -R username:ssb-websites html
Recursively set premissions on all files within the web-root (owner and group have read, write, execute permissions):
$ chmod -R 770 html
Recursively set permissions on all files within web-root:
$ chmod 644 $(find . ! -type d)
If having issues, make sure directory permissions are set like this (the top-level website directory /home/username/ must be owned by root or sFTP access won't work):
/home/username | drwxr-x--- | root:websites
/home/username/html | drwxr-x--- | username:websites
/home/username/html/directories/ | drwxrwx--- | username:websites
/home/username/html/files.html | -rw-r--r-- | username:websites
We're designers so this is the way we worked it out, if anyone can see improvements, feel free to edit!
I have created a simple php page on var/www/tuto director, but when I'm trying to open this page (this is it's URL : http://localhost/tuto/index.php ) I got this message :
Forbidden
You don't have permission to access /tuto/index.php on this server.
Apache/2.2.22 (Ubuntu) Server at localhost Port 80
The tuto directory has aimad as group and owner.
The drwx------ means only you have read/write/execute permission on the directory.
d means the node is directory
r(4) means read permission
w(2) means write permission
x(1) means execute permission
The order for permissions is user, group, world.
To fix that you'll need to correct the permissions so apache can read from it. This is done with this command.
chmod -R 755 /var/www/tuto
user: 7 = r + w + x
group: 5 = r + x
world: 5 = r + x
It will set the correct permission for the directory and everything inside.
An even better approach would be to change the directory's group to www-data which apache uses on Ubuntu and then set the permissions to allow the group.
chown -R aimad:www-data /var/www/tuto
chmod -R 750 /var/www/tuto
To get a better understanding of how permissions work look at the Wikipedia page.
http://en.wikipedia.org/wiki/Filesystem_permissions
I have my computer on network, and whole homedir is mounted at login with CIFS. When I access http://localhost everything works fine, but when I access http://localhost/~user it fails.
# cat /etc/mtab
.....
//192.168.1.5/user/ /home/user cifs rw,mand 0 0
ls -l
...
drwxrwxrwx 37 user domain users 0 2011-12-22 09:12 public_html
The browser say:
Forbidden
You don't have permission to access /~lluisforns on this server.
And apache say
cat /var/log/apache2/error.log
[Thu Dec 22 18:19:09 2011] [error] [client 127.0.0.1] (13)Permission denied: access to /~lluisforns denied
Any idea?
Had the same issue, and it turned out to be an SELinux thing: SELinux has a setting that prevents httpd (apache) to follow CIFS links.
To see if you have this issue:
getsebool -a | grep httpd
you should see httpd_use_cifs --> on. if not, your in luck - this is your problem.
To fix:
setsebool httpd_use_cifs on
You may also decide to disable SELinux altogether (assuming you know the risk) - here is a link to one relevant page
I have the same symptoms as Error number 13 - Remote access svn with dav_svn failing. However, the solution to that problem does not work for me.
The error message:
<D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:">
<C:error/>
<m:human-readable errcode="13">Could not open the requested SVN filesystem</m:human-readable>
</D:error>
The relevant apache log entry:
(20014)Internal error: Can't open file '/svn/testrepo/format': Permission denied
The subversion conf file:
<Location /svn>
DAV svn
SVNPath /svn/testrepo
</Location>
However, I've further confirmed that user apache can, indeed, open the file /svn/testrepo/format, and can not only open it, but move it, duplicate it, delete it, and overwrite it. (su apache -> do all that stuff.) What can I do next?
=========== FURTHER INFORMATION ===========
In response to crazyjul, here are the results of ps aux | grep apache
apache 14019 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14020 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14021 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14022 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14023 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14024 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14025 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14026 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
root 14032 0.0 0.0 5412 772 pts/4 R+ 16:41 0:00 grep apache
The results of ps aux | grep www
root 14034 0.0 0.0 5412 772 pts/4 S+ 16:42 0:00 grep www
The results of ls -as on my repo folder:
drwxrwxrwx 7 apache apache 4096 2011-10-07 16:13 .
drwxr-xr-x 7 apache apache 4096 2011-10-07 14:04 ..
-rw-r--r-- 1 apache apache 229 2011-10-07 13:50 README.txt
drwxr-xr-x 2 apache apache 4096 2011-10-07 15:50 conf
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 dav
drwxr-sr-x 5 apache apache 4096 2011-10-07 14:25 db
-rwxrwxrwx 1 apache apache 2 2011-10-07 13:50 format
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 hooks
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 locks
I was researching and I find this.
Problably you have SELinux anabled, is a security system that I don't understad very well how does it work exactly but that's the problem. If you want to know if is on type
[root#localhost ~]# getenforce
If says enforcing, is on
In order to deactivate it type
[root#localhost ~]# chcon -R -t httpd_sys_content_t /var/www/svn/your/path
[root#localhost ~]# chcon -R -t httpd_sys_rw_content_t /var/www/svn/your/path
Do you have selinux enabled? I typically disable it for mod_dav_svn but you can get it working with some configuration.
vince#fedora12 /etc/httpd/conf.d > cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
Apache generally have another user to access data. Generally it is called www-data. You can check by calling ps auxand search for apache processes
It is an old thread but I hit the same error message. In my case I was using another hard drive mounted as a repository so that I have to give ownership to www-data entire disk. I found this thread and applied than it worked at https://ubuntuforums.org/archive/index.php/t-1233618.html
sudo chown www-data:www-data /media/yourdisk -R