Setup:
Websites are setup as users in /home/
Website users restricted to home directories as /home/websiteuser/ is
owned by root
Website users are part of the websites group
www-data is part of the websites group
Virtual host points to: /home/websiteuser/html/
/home/websiteuser/html/ is set to -R 755
Files inside /html/ are owned by websiteuser:websites
Website user is used to access website via sftp
Everything works great except apache requires us to recursively chmod 777 the /home/websiteuser/html/files/ directory or images won’t display and the CMS can’t write it’s mysql backups.
The website user owns the files so the sftp access works but do I have to make www-data own the files - or is there a way where sftp login works and apache can still have access as well?
We've seen many questions around this but don’t understand the answers sorry - any help would be much appreciated.
Cheers
We've solved this by making a "websites" group and adding the apache user (www-data) to this group like this (must be done as root - switch to root with $ su root or use sudo in front of the commands like this $ sudo useradd username:
Add a new group - this will be the name of the group used for all websites:
$ addgroup websites
List groups to check it was created
$ getent websites
Add the apache user to the websites-group so apache has access to run the websites
$ usermod -G websites www-data
Check www-data is part of the websites-group:
$ grep '^ websites' /etc/group
Add a new website user (this will be the user used to run the website)
$ useradd username
Give the user a password
$ passwd username
Follow the prompts to add a password
Add website user to websites group
$ usermod -G websites username
Create a new directory for the user to serve websites from:
$ mkdir /home/username
The owner of the website directory must be root or sftp will fail
Make root the owner and group of website user’s home directory:
$ chown root:websites /home/username
Give website user limited access to their home directory:
$ chmod 750 /home/username
Move into the website user’s directory:
$ cd /home/username
Make a web root directory (this is the opublic directory where the website's files will live):
$ mkdir html
Give website user owner:group on web root:
$ chown username:websites html
Change permissions on the html directory:
$ chmod 750 html
Copy all the website's files into the html directory
Recursively set ownership on all files within the web-root
$ chown -R username:ssb-websites html
Recursively set premissions on all files within the web-root (owner and group have read, write, execute permissions):
$ chmod -R 770 html
Recursively set permissions on all files within web-root:
$ chmod 644 $(find . ! -type d)
If having issues, make sure directory permissions are set like this (the top-level website directory /home/username/ must be owned by root or sFTP access won't work):
/home/username | drwxr-x--- | root:websites
/home/username/html | drwxr-x--- | username:websites
/home/username/html/directories/ | drwxrwx--- | username:websites
/home/username/html/files.html | -rw-r--r-- | username:websites
We're designers so this is the way we worked it out, if anyone can see improvements, feel free to edit!
Related
I have been asked to look at a wordpress site that is on google cloud - the Wordpress admin works fine - the front end of the site doesn't show the css
I believe it to be a file permission issue
Replicating the site and placing it on a different server with correct wordpress file permissions it works fine.
However on google cloud I have issues with trying to change the file permissions.
I have ftp access using Filezilla but can't change file permissions that way and if I try to use the apache ssh console to change file permissions that wont apply either.
So looking at the owner of the folder var/www/html and the group it is showing as www-data not root - so first question is what should be the correct owner and group ?
To change folder & file permissions and ownership do the following.
SSH into the VM, google cloud provide a SSH browser based terminal.
SSH will open a linux terminal, if you are root user no need to type 'sudo' for the following commands.
Type 'sudo vim /etc/apache2/envvars'
read what the config file says, defaults are:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
Exit the config file back to the linux terminal command line.
Type the following commands to give Apache appropriate User and Group permissions in the public wordpress directory, change user and group name as appropriate
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
You can now exit the SSH terminal. Note if you want to see the new permissions in FileZilla press F5 to refresh FileZilla.
When running a Docker container, what is the correct way allow Apache write access to a synced volume?
Important, I would like the folder synced so local changes are immediately reflected inside the container as is happening now with the current run command
When running the container with:
docker run -v /Local/folder/toSync:/var/www/html -p 8080:80 --sig-proxy=false the-image
The Docker Apache process does not have write access to the folder because the owner and group of that folder is set to 1000 staff Where I believe 1000 is replacing my local username (which is absent from the container). Apache is running as www-data and therefore cannot write to the file.
Attempting to set the local folder user/group to www-data results in chown: www-data: illegal user name
What is the correct way to set permissions and/or mount the volume to permit Apache write access?
You need to put the :z on the end of your volume.
-v /Local/folder/toSync:/var/www/html:z
Also, the syntax of your chown statement doesn't looks right. Changing the owner of the volume should work fine, and you will still need to do this.
FROM php:7.4-apache
WORKDIR /var/www/html
EXPOSE 80
WORKDIR /var/www
RUN chown -R www-data html
I have a Centos 6.4 server and I need to assign certificate to user's login so that he doesn't need to enter password during login. The user has already provided the id_rsa.pub -file. I don't have his credentials and I'm working with the root account
The was no .ssh directory under his home folder so I created one, but I don't know how to advance from here..
so, as root you need to create a $HOME/.ssh/authorized_keys with the right owner and permissions. Something like this should work
cd /home/theuser
mkdir .ssh
cp /some/path/id_rsa.pub .ssh/authorized_keys
chown theuser .ssh .ssh/authorized_keys
chmod 700 . .ssh .ssh/authorized_keys
the permission may not have to be so tight but if it's to loose ssh won't allow the key to be used and complain about it in some syslog.
I have created a simple php page on var/www/tuto director, but when I'm trying to open this page (this is it's URL : http://localhost/tuto/index.php ) I got this message :
Forbidden
You don't have permission to access /tuto/index.php on this server.
Apache/2.2.22 (Ubuntu) Server at localhost Port 80
The tuto directory has aimad as group and owner.
The drwx------ means only you have read/write/execute permission on the directory.
d means the node is directory
r(4) means read permission
w(2) means write permission
x(1) means execute permission
The order for permissions is user, group, world.
To fix that you'll need to correct the permissions so apache can read from it. This is done with this command.
chmod -R 755 /var/www/tuto
user: 7 = r + w + x
group: 5 = r + x
world: 5 = r + x
It will set the correct permission for the directory and everything inside.
An even better approach would be to change the directory's group to www-data which apache uses on Ubuntu and then set the permissions to allow the group.
chown -R aimad:www-data /var/www/tuto
chmod -R 750 /var/www/tuto
To get a better understanding of how permissions work look at the Wikipedia page.
http://en.wikipedia.org/wiki/Filesystem_permissions
I have installed apache webserver apache in linux ,I used following code to upload a file, but i get permission denied
scp -i adjmp.pem index.html ec2-user#ec2-50-17-88-33.compute-1.amazonaws.com:/var/www/html/hi
How can i upload a file to EC2 ?
You most likely need to change the filesystem permissions. This is usually done using the chmod command. You may also need to modify file ownership (using the chown command).
If you need help with the exact steps, you can provide the output of the following two commands and I will try to help:
sudo ls -al /var/www/html/hi
id