the default install of apache in CentOS or RHEL, looking at file system permissions for html directory in /var/www/
drwxr-xr-x. 2 root root 4096 Aug 13 2013 html
My website works, and I have no issues with it, however I would like to know why and when do we need to set the directory to apache:apache?
Thank you
Since Apache is not running as root (presumably, hopefully), it only has read permissions on the directory as part of the last o=rx. This is a good default, since it means that it cannot alter the directory, only passively read and serve files from it. Everything running under an Apache process (e.g. mod_php) thereby has the same restrictions. That prevents a lot of common rookie exploits, like allowing uploads of .php files into a public web folder; because Apache/PHP cannot write into the web folder.
You should assign directories that Apache/PHP/CGI should explicitly be able to write into to apache/www-data (depending on your OS/configuration). It's not typically a good idea to do this with any directory under /var/www, you should leave that read-only as much as possible. However, adding an application-specific folder to something like /usr/local/var/<my website> with write permissions for Apache and selectively sym-linking or mod_rewriting to it is fine.
When your website need permission to modify direction/file on web app folder, you have 2 choices: 1) chmod folder to 777/666 or 2) change owner of these folders/files to apache
Sometimes, change owner is prefer to chmod because of security reason.
Related
I am setting up a multimedia server on Debian 8.
I installed both Plex and Owncloud. I have set up /var/media as my Owncloud default folder. I decided to create a folder Library at the root of Owncloud. So the folder path is:
/var/media/admin/files/Library
I changed the permissions of media with:
chmod 770 -R /var/media
On top of that, all the files in /var/media are owned by www-data:www-data.
In order to make Plex see my medias, I have added the user plex to the group www-data. I would like to create a library watching my /var/media/admin/files/Library folder but I have a problem, Plex doesn't see neither the files or folders in /var/media. Here is a screenshot:
To finish, I have tried to connect on my server via ssh with the plex user, and it sees files and folders inside /var/media.
What am I doing wrong? Maybe it is not a permission issue?
Thanks
Update
If I change the ownership of /var/media to plex:www-data, it works. But I can't understand why it doesn't work for www-data:www-data. So it is well a permissions issue.
If I launch id plex, I have:
uid=107(plex) gid=33(www-data) groups=33(www-data)
Just to remind, here are the permissions of /var/media folder (full permissions for group...):
drwxrwx--- 4 www-data www-data 4096 Oct 30 09:01 media
I assume from your post that Plex, Linux OS, and your media are all contained on the same machine and that there are no separate computing devices being used here as that would mean additional steps are required.
In all likelyhood, plex won't be able to list your files because the mode 777 is required to list files in a directory even if the files themselves are set more restrictively than 777 e.g. 750. From what I can tell, your chmod command has set all the directory permissions to 770 which would break the listing capability. As it happens I've just yesterday written a guide over on Tech-KnowHow that covers this, and within that I have described how to set all your folders to 777 and your files to something else. That way it works with plex (and other systems for that matter). I've essentially chosen the same solutions as you in that I use the group to assign the permissions and make sure the everyone / other mode is set to apply no permissions.
There's a direct link to the article below, you'll need to click on the implementation page and look for the find command under the 'Apply correct modes' heading. I've also included how to keep your ownership consistent through samba which is useful when copying new files across. Let me know how that goes in the comments and I'll help you out where I can while it's still fresh in my mind. Good luck!
https://www.tech-knowhow.com/2016/03/how-to-plex-permissions-linux/
I know it is an old post, but I had the same issue and this was my solution :
After a
sudo service plexmediaserver status
I found the file used to launch the plex service /lib/systemd/system/plexmediaserver.service. This file contains the user and group which are used by plex.
So we can change the line Group=plex by your group.
PS: do not forget to restart the plex service with
sudo service plexmediaserver restart
I am using XAMPP and apache as webserver. I have permission problems with a website of mine that requires write access to a temporary folder in the project folder /htdocs/myProject/tmp
It think my problem is that my site runs on my localhost and I copied the project with my regular desktop user into the htdocs folder. Apache seems to lack write permissions.
My question is now: How do I found out which user group apache belongs to in order to make that group owner of the folder? That should fix my permission problem, shouldn't?
As far as I understand, the Apache (Webserver) has an own user called "www-data". Maybe an already answered question on SO has a solution, which you can use.
The used command relies on a linux-based system and that you navigated in a terminal to a directory, where /htdocs is located.
This command in the answer of the link below allows you as a humanoid user to write and work in this specified directory.
You add www-data (Apache) to use this directory, too.
New files of that chown'ed directory will 'inherit' the owners.
The Link and further descriptions can be found here on Stackoverflow.com:
www-data permissions
I have a dropbox account which sync all my website folders. and it works well on windows using my apache to test, because apache can find the directory. I have another development computer using Ubuntu 13, and i changed the document root in apache to /home/jacques/dropbox but it cant find the directory , so i opened my home folder. i saw the directory there, so i tried to access it using the terminal, it said that the directory doesnt exist.
I did right click dropbox and that said that the directory is in /home/dropbox and /home/jacques/dropbox
am i missing something important here ?
There are a few things to check here -
First is that on Ubuntu the default Dropbox directory is
/home/username/Dropbox not /home/username/dropbox. Note the capital
'D', linux file systems are case-sensitive. Make sure that you specify it with the capital D in the DocumentRoot declaration.
The second is to check what user Apache is running as and making
sure that it has permissions to view your Dropbox directory. On
Ubuntu, the default is www-data, so you might want to add yourself
to the www-data group and change the group on the Dropbox folder to
be www-data.
Alternatively, you can change the user and group that Apache runs as by editing the /etc/apache2/envvars file and by making
these edits:
export APACHE_RUN_USER=jacques
export APACHE_RUN_GROUP=jacques
You will need to restart Apache after this, and you may need to update the owner of the /var/log/apache2 directory to be you also.
it happens often that an silverstripe installation does not have the right permission to write in the assets folder - e.g. for saving resampled images...
I wonder what is the best permissions setting for the files and folders in assets/ to solve that problem.
you read so many different things when you google...
can I just chmod the whole assets folder and its contents to 0777?
or do files and folders need different permissions?
is there an recommendation for Owner and Group?
can I have "dangerous" settings?
Rule of thumb:
Stuff the webserver needs to write (assets/, silverstripe-cache/) need to be writable by the server
Stuff the webserver needs to read (framework, cms, modules, custom code,...) should only be readable by the server
chmod 777 will work for the writeable parts, but you might want to set the folder's owner to the webserver's user (www-data, nobody, or whatever this is on your system) plus chmod 755 to avoid global write permissions.
See if your hosting provider will install the mod_suphp (suPHP) Apache module, then you don't have to worry about setting dangerous folder permissions: http://www.suphp.org/Home.html
Our server is running under CentOS 6 and handled over Panel Plesk 10.4.4. Structure of folders and files is created using php script. Then, when accessing through FTP we are unable to modify these folder contents previously created. When accessing it over Apache web user works without exception but not over ftp. Folders and files have 755 and 644 rights respectively. How to enable ftp acces? Thank you
EDIT: problem is that file owner and ftp are not the same but I do not know exactly how and where to attach it.
File and folders owner is psacln (gid 502) and group is apache (gid 503). Ftp users are not the same.
We add a login ftp user (also system one) to the group owner of files and folders "psacln" using usermod -a -G psacln ftpusername. Same procedure with apache group but problem persists.
The problem here would be that you probably run your site in mod_php mode. In this mode scripts are operated under Apache privileges, so all files and directories created are owned by Apache. This way the files cannot be accessed by your FTP user unless you set up 777 or 666 permissions.
I think your options could be
switch to FastCGI mode of PHP. Depending on your Plesk account privileges, you can either do it yourself in Plesk UI or will have to ask hosting provider for that.
This way your script will be operated under user privileges (same as FTP user) and there will be no problems with accessing these files through FTP. Also this option is often considered more secure.
make PHP script setting 777 permissions on your folders and 666 permissions on your files. It means you allow to modify them by everyone (so called "others"). So FTP user can modify these files as well. While this may sound insecure, but practically these files are already can be accessed from any other site on that system (if it is shared hosting server). So I don't think it will be any more insecure than the current status.
Regards