I'm using Docker to run an Apache instance. My docker file goes something like this:
FROM ubuntu
MAINTAINER your.face#gmail.com
RUN cat /etc/passwd
RUN cat /etc/group
RUN apt-get update && apt-get install -yq apache2 php5 libapache2-mod-php5 php5-mysql
RUN apt-get install -yq openssh-server
RUN mkdir /var/run/sshd
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
EXPOSE 80
ADD config/apache2/000-default.conf /etc/apache2/sites-available/000-default.conf
ADD config/php5/php.ini /etc/php5/apache2/php.ini
ADD config/start.sh /tmp/start.sh
ADD src /var/www
RUN chown -R root:www-data /var/www
RUN chmod u+rwx,g+rx,o+rx /var/www
RUN find /var/www -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www -type f -exec chmod u+rw,g+rw,o+r {} +
#essentially: CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
CMD ["/tmp/start.sh"]
However, when I build the container and run it, I only ever get 403 errors.
Notice that I've specified that Apache should run as www-data in www-data group, and that /var/www has been recursively chownd to belong to root:www-data.
Also, all directories are searchable and readable, and all files are readable and writeable by the www-data group (well, according to ls -la and namei -m they are anyways).
How do I fix these permissions issues? I cant figure it out.
Actual error from the Apache error.log:
[Fri May 23 18:33:27.663087 2014] [core:error] [pid 14] (13)Permission denied: [client 11.11.11.11:61689] AH00035: access to /index.php denied (filesystem path '/var/www/index.php') because search permissions are missing on a component of the path
EDIT:
output of ls -laR /var/www at the end of the Dockerfile:
Step 21 : RUN ls -laR /var/www
---> Running in 74fd3609dfc8
/var/www:
total 1036
drwxr-xr-x 67 root www-data 4096 May 23 18:38 .
drwxr-xr-x 26 root root 4096 May 23 18:38 ..
-rw-rw-r-- 1 root www-data 28 May 23 12:22 .gitignore
-rw-rw-r-- 1 root www-data 501 May 23 12:22 .htaccess
-rw-rw-r-- 1 root www-data 7566 May 23 12:22 index.php
Output of namei -m /var/www/index.php at the end of the Dockerfile:
Step 22 : RUN namei -m /var/www/index.php
---> Running in 1203f0353090
f: /var/www/index.php
drwxr-xr-x /
drwxr-xr-x var
drwxr-xr-x www
-rw-rw-r-- index.php
EDIT2
After trying a whole bunch of things, including chmod -R 777 just to see if I could get anything to work, I tried putting the source files added from the Dockerfile into /var/www/html, the default location for Apache files to be served.
I matched the default file permissions exactly (I think), and it still isn't working. The default index.html that comes with Apache loads just fine, but the added src folder still have a 403 access denied error.
I changed the Dockerfile to ADD src /var/www/html/src and the permissions were set using:
RUN find /var/www/html -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www/html -type f -exec chmod u+rw,g+r,o+r {} +
No luck. Below is some of the output of ls -laR on /var/www. Notice that the permissions for the html folder and index.html that come with an apache2 install match those of the added src folder:
Step 19 : RUN ls -laR /var/www/
---> Running in 0520950d0426
/var/www/:
total 12
drwxr-xr-x 6 root root 4096 May 23 19:23 .
drwxr-xr-x 24 root root 4096 May 23 19:23 ..
drwxr-xr-x 5 root root 4096 May 23 19:23 html
/var/www/html:
total 24
drwxr-xr-x 5 root root 4096 May 23 19:23 .
drwxr-xr-x 6 root root 4096 May 23 19:23 ..
-rw-r--r-- 1 root root 11510 May 23 18:28 index.html
drwxr-xr-x 47 root root 4096 May 23 19:23 src
/var/www/html/src:
total 1032
drwxr-xr-x 47 root root 4096 May 23 19:23 .
drwxr-xr-x 5 root root 4096 May 23 19:23 ..
-rw-r--r-- 1 root root 28 May 23 12:22 .gitignore
-rw-r--r-- 1 root root 501 May 23 12:22 .htaccess
-rw-r--r-- 1 root root 7566 May 23 12:22 index.php
Perhaps chmod doesn't work quite the way I thought it does??
EDIT3
A final bit of information. The Docker container is being built by buildbot, which I've been assuming runs as root. I haven't been able to reproduce this scenario without using buildbot to do the building.
Building everything via sudo docker build -t apache . type commands on my laptop works fine, but the problems arise when buildbot does it. No idea why :^/
I just ran into this after posting a similar question at Running app inside Docker as non-root user.
My guess is you can't chmod/ chown files that were added via the ADD command. – thom_nic Jun 19 at 14:14
Actually you can. You just need to issue a a RUN command after the ADD for the file location that will be INSIDE your container. For example
ADD extras/dockerstart.sh /usr/local/servicemix/bin/
RUN chmod 755 /usr/local/bin/dockerstart.sh
Hope that helps. It worked for me.
I encountered a similar issue; however my container was using VOLUME to map directories across the container.
Changing the permissions on the directory that maps to /var/www/html itself remedied the 403 Forbidden errors.
docker-host$ ls -ld /var/www/html
drwxr--r-- 53 me staff 1802 Mar 8 22:33 .
docker-host$ chmod a+x /var/www/html
docker-host$ ls -ld /var/www/html
drwxr-xr-x 53 me staff 1802 Mar 8 22:33 .
Note that chmod must be applied on the Docker host, not within the container. Executing it within the container effects no change to the directory.
docker-container$ chmod a+x /var/www/html
docker-container$ ls -ld /var/www/html
drwxr--r-- 53 me staff 1802 Mar 8 22:33 .
Related
Using:
podman version 4.2.0
AlmaLinux 8.7
I've created an image based on redhat/ubi8 with the following Dockerfile:
FROM docker.io/redhat/ubi8
RUN dnf install -y gcc-c++ cmake python39 openssh git
RUN useradd -ms /bin/bash foobar -g users
USER foobar
WORKDIR /home/foobar/
RUN mkdir -p .ssh
$ docker build -t mount_test_image .
I run the image from a directory that contains a directory ssh, and I want to mount that directory to /home/foobar/.ssh with ownership of foobar.users
$ ls -l
-rw-r--r--. 1 host_user users 269 Dec 7 09:10 Dockerfile
drwxrwxr-x. 2 host_user users 18 Dec 2 10:41 ssh
docker run -it -d --rm --mount type=bind,src=ssh,target=/home/foobar/.ssh --name=mount_test mount_test_image
However when I enter the container via
docker exec -it mount_test '/bin/sh'
The home directory looks like this:
drwx------. 1 foobar users 18 Dec 7 17:10 .
drwxr-xr-x. 1 root root 21 Dec 7 17:10 ..
-rw-r--r--. 1 foobar users 18 Jun 20 11:31 .bash_logout
-rw-r--r--. 1 foobar users 141 Jun 20 11:31 .bash_profile
-rw-r--r--. 1 foobar users 376 Jun 20 11:31 .bashrc
drwxrwxr-x. 2 root root 18 Dec 2 18:41 .ssh
I obviously get a "permission denied" when trying to access that directory.
sh-4.4$ ls /home/foobar/.ssh
ls: cannot open directory '/home/foobar/.ssh': Permission denied
I tried changing the ownership of the directory on the host to match the uid of the container user, but then it just looks like this:
drwxrwxr-x. 2 nobody root 18 Dec 2 18:41 .ssh
My host user uid:gid is 501:100 and the container user is 1000:100. Right now I'm just trying to generate an ssh key to upload to bitbucket, but this seems like a simple feature a container should be have. All the tutorials and examples just stop after the --mount command instruction and say "there ya go!". What good is the mount point if you can't read/write it?
EDIT:
I tried on Archlinux using docker instead of podman and it works like one would expect with both -v and --mount. The owner of the mounted directory in the container matches the uid and gid of the host. Is this then a bug in podman or is it just done differently?
You are using a non-root user (foobar) in a rootless container. You must use --userns=keep-id for the container user to see the mounted volumes.
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#using-volumes
Jenkins installed on Ubuntu 18.04 and running successfully.
As part of our project build process, we need to copy built files to a specific folder under /var/www/html (Apache folder). Our build / Execute shell:
npm install
ng build --prod
cp -R /var/lib/jenkins/workspace/kagi-core/dist/core/* /var/www/html/kagi-core/
But jenkins build fails at the final copy command with the following errors:
23:18:10 + cp -R /var/lib/jenkins/workspace/kagi-core/dist/core/3rdpartylicenses.txt /var/lib/jenkins/workspace/kagi-core/dist/core/assets ...
23:18:10 cp: cannot create regular file '/var/www/html/kagi-core/3rdpartylicenses.txt': Permission denied
...
...
Here's what we did/tried so far:
Added "jenkins" user to root and ubuntu groups.
ubuntu#ip-172-31-15-215:/var/www/html$ groups jenkins
jenkins : jenkins root ubuntu
Changed permissions on /var/www/html/kagi-core folders to "jenkins" user
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 17 21:36 www
..
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 18 21:04 html
..
drwxrwxrwx 4 ubuntu jenkins 4096 Sep 18 21:18 kagi-core
What are we missing? Appreciate any help!
While trying to fix this, found the solution. Adding here for reference:
On observing carefully, the permissions to /var/www folders, they are as
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 17 21:36 www
but instead they should be the other way around (allow "jenkins" user to the default group):
drwxr-xr-x 3 jenkins ubuntu 4096 Sep 17 21:36 www
Also we reset the group to default root
So the command that solved the issue was
cd /var
sudo chown -R jenkins:root www/
After this, jenkins builds were successful (able to copy to the /var/www/html folder).
I'm setting up a new website on a new Ubuntu droplet at Digital Ocean. I set this up previously on a different droplet and rsynced the website contents to it. I followed directions I found on the web, but didn't keep detailed-enough notes. I'm just trying to replicate this on the new Droplet. But I've messed up somehow. My knowledge of permissions, etc. is rudimentary :-(
My server has: /var/www/html
This is what I did:
• sudo usermod -a -G www-data [myusername]
• sudo chown -R www-data:www-data /var/www
• sudo chmod -R g+rw /var/www
• sudo chmod -R g+rws /var/www
I then created “/var/www/howardmann.us/public_html” for my website.
(I didn't put the public_html directory in var/www/html. I didn't on my other Droplet. Perhaps I should.)
sudo ls -la /var/www
total 16
drwxrwsr-x 4 www-data www-data 4096 Feb 25 15:43 .
drwxr-xr-x 14 root root 4096 Feb 24 14:27 ..
drwxr-sr-x 3 root www-data 4096 Feb 25 15:43 howardmann.us
drwxrwsr-x 2 www-data www-data 4096 Feb 25 15:42 html
sudo ls -la /var/www/howardmann.us/public_html
total 8
drwxr-sr-x 2 root www-data 4096 Feb 25 15:43 .
drwxr-sr-x 3 root www-data 4096 Feb 25 15:43 ..
Now, excerpts of rsync script (successful to my other Droplet) result from my laptop now:
1.
howardm$ ./deploy.sh
sending incremental file list
rsync: failed to set times on "/var/www/howardmann.us/public_html/.": Operation not permitted (1)
rsync: recv_generator: mkdir "/var/www/howardmann.us/public_html/css" failed: Permission denied (13)
* Skipping any contents from this failed directory *
3.
rsync: mkstemp "/var/www/howardmann.us/public_html/.DS_Store.8zaaQg" failed: Permission denied (13)
Question: How do I fix ownership and permissions on the server directories for 1) proper permissions for a website and 2) permit a rsync deploy?
For comparison, here is the status of my current working web site on the other Droplet:
howardm#howardmann:~$ ls -la /var/www/
total 20
drwxrwxr-x 5 howardm www-data 4096 Mar 5 2016 .
drwxr-xr-x 13 root root 4096 Mar 28 2015 ..
drwxrwxr-x 4 howardm www-data 4096 Jun 8 2016 howardmann.us
drwxrwxr-x 2 howardm www-data 4096 Mar 29 2015 html
Thanks!
Howard
Well, I fixed this after reading some more about permissions for a website.
My website folder is titled howardmann.us, which contains a public_html folder with the website contents.
So: /var/www/howardmann.us/public_html. (/var/www also contains a html directory)
I achieved the relevant ownership/permissions with:
sudo chown -R howardm:www-data /var/www/
I'm the owner, and www-data the group.
sudo usermod -a -G www-data [myusersername]
I'm a member of the www-data group
sudo chmod -R 2775 /var/www/
This yields the proper permissions, I believe for a web site.
I made sure the same owner:group applied to all these directories:
ls -l /var/www
total 8
drwxr-sr-x 3 howardm www-data 4096 Feb 26 19:23 howardmann.us
drwxrwsr-x 2 howardm www-data 4096 Feb 25 15:42 html
ls -l /var/www/howardmann.us
total 4
drwxr-xr-x 11 howardm www-data 4096 Feb 5 2017 public_html
Now rsync works without errors.
If anyone believes these ownership/permissions for a website are (substantially) improper, please comment.
Howard
I have installed WordPress 3.6.1 on Debian 6.0.8 (alongside with other websites) by following this tutorial https://wiki.debian.org/WordPress.
I keep strugling with wordpress asking for ftp Connection Information for theme or plugin updates.
Could you please help me setting the rights correctly ?
Looking forward to read from you
What I can to do
install/delete plugin
install/delete themes
What I can't do
display theme nicely unless I manually create the symbolic link to the files.
Posts I have read :
Can I install/update WordPress plugins without providing FTP access?
How do I know which linux user Wordpress uses for plugin installation
WordPress can't install themes
A general linux file permissions question: Apache and WordPress
apache and sftp permissions for wordpress automatic update in ubuntu
What I have tried
Set FS_METHOD to direct
in /etc/wordpress/config-mydomain.fr.php
define('FS_METHOD', 'direct');
Re assigh permissions :
admin#server01:/usr/share/wordpress$ find -type d -exec sudo chmod 755 {} \;
admin#server01:/usr/share/wordpress$ find -type f -exec sudo chmod 644 {} \;
admin#server01:/usr/share/wordpress$ ls -l
total 144
-rw-r--r-- 1 root root 395 8 janv. 2012 index.php
-rw-r--r-- 1 root root 7155 14 sept. 2013 readme.html
-rw-r--r-- 1 root root 4616 21 janv. 2013 wp-activate.php
drwxr-xr-x 9 root root 4096 19 mars 13:00 wp-admin
-rw-r--r-- 1 root root 271 8 janv. 2012 wp-blog-header.php
-rw-r--r-- 1 root root 3513 16 juil. 2013 wp-comments-post.php
-rw-r--r-- 1 root root 2381 13 sept. 2013 wp-config.php
-rw-r--r-- 1 root root 3177 1 nov. 2010 wp-config-sample.php
drwxr-xr-x 5 root www-data 4096 19 mars 13:00 wp-content
-rw-r--r-- 1 root root 2718 23 sept. 2012 wp-cron.php
drwxr-xr-x 10 root root 4096 19 mars 13:00 wp-includes
-rw-r--r-- 1 root root 1997 23 oct. 2010 wp-links-opml.php
-rw-r--r-- 1 root root 2408 26 oct. 2012 wp-load.php
-rw-r--r-- 1 root root 29751 23 juil. 2013 wp-login.php
-rw-r--r-- 1 root root 7715 3 mars 2013 wp-mail.php
-rw-r--r-- 1 root root 9990 21 févr. 2013 wp-settings.php
-rw-r--r-- 1 root root 22135 15 mai 2013 wp-signup.php
-rw-r--r-- 1 root root 3692 9 mai 2013 wp-trackback.php
-rw-r--r-- 1 root root 2722 4 mars 2013 xmlrpc.php
&
admin#server01:/var/lib/wordpress$ find -type d -exec sudo chmod 755 {} \;
admin#server01:/var/lib/wordpress$ find -type f -exec sudo chmod 644 {} \;
admin#server01:/var/lib/wordpress$ ls -l
total 4
drwxr-xr-x 8 www-data www-data 4096 20 mars 15:04 wp-content
Manually remove broken plugin
admin#server01:/var/lib/wordpress/wp-content/plugins$ sudo rm akismet
admin#server01:/usr/share/wordpress/wp-content/plugins$ sudo rmdir akismet/
Manually remove broken themes
admin#server01:/usr/share/wordpress/wp-content/themes$ sudo rmdir twentythirteen/
admin#server01:/usr/share/wordpress/wp-content/themes$ sudo rmdir twentytwelve/
&
admin#server01:/var/lib/wordpress/wp-content/themes/clear$ sudo rm *
admin#server01:/var/lib/wordpress/wp-content/themes$ sudo rmdir clear/
Manually define themes symbolic links that dont want to appear automatically
admin#server01:/usr/share/wordpress/wp-content/themes$ sudo ln -s '/var/lib/wordpress/wp-content/themes/clear' 'clear'
Restart ssh :
admin#server01:~$ sudo /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.
Restart apache :
admin#server01:~$ sudo service apache2 reload
Reloading web server config: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 92.243.##.### for ServerName
/etc/apache2/sites-available/fr.mydomain.www
<VirtualHost *:80>
ServerName mydomain.fr
ServerAlias www.mydomain.fr
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain\.fr
RewriteRule $(.*)$ http://www.mydomain.fr$1 [R=permanent,L]
DocumentRoot /usr/share/wordpress/
DirectoryIndex index.php index.html
ErrorLog /var/log/apache2/wp-error.log
TransferLog /var/log/apache2/wp-access.log
<Directory /usr/share/wordpress>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /wp/wp-content /var/lib/wordpress/wp-content/
ScriptAlias /wp /usr/share/wordpress/
<Directory "/var/lib/wordpress/wp-content">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
/etc/wordpress/config-mydomain.fr.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'myPassword');
define('DB_HOST', 'localhost');
define('WP_CONTENT_DIR', '/var/lib/wordpress/wp-content');
define('FS_METHOD', 'direct');
?>
Apache seems to run as root
ps aux | grep apache
root 11565 0.0 0.7 227076 15040 ? Ss Mar19 0:03 /usr/sbin/apache2 -k start
root 23668 0.0 0.3 227212 7500 ? S 10:07 0:00 /usr/sbin/apache2 -k start
...
root 26875 0.0 0.3 227212 7500 ? S 12:50 0:00 /usr/sbin/apache2 -k start
admin 27111 0.0 0.0 9620 916 pts/1 S+ 13:18 0:00 grep apache
777*
I have tried to change /usr/share/wordpress/wp-content and /var/lib/wordpress/wp-content to 777 without success...and I know that is very very bad.
Maybe this is because of some weird behaviour of Wordpress: The check whether WP has write permissions creates a temporary file and compares the owner of that file (which will be the Apache process, www-data) to the result of getmyuid(). However, getmyuid() returns the owner of the running php file (wp-admin/update.php in this case) which is 0 (root) in the default install. Try to change the owner of this file to www-data, which made it work for me:
chown www-data:www-data /usr/share/wordpress/wp-admin/update.php
I need to change permissions of files in my /media/MAVEN/Projects
MAVEN is my windows disk partition.
The permissions on the Projects folder are:
:/media/MAVEN/Projects$ ls -la
\total 340
drwxrwxrwx 1 root root 12288 Oct 6 21:31 .
drwxrwxrwx 1 root root 32768 Oct 9 06:32 ..
all the projects are set to drwxrwxrwx
I need to change them to 755 so I tried:
~$ sudo chmod 755 -R /media/MAVEN/Projects
But I get errors: ...Read-only file system
The result of ls -la /media/MAVEN/Projects remains the same.
Help me resolve this.
Problem solved. I found out that I was using a package that was mounting my disk as read only. Its called pysdm I disabled that feature.