it happens often that an silverstripe installation does not have the right permission to write in the assets folder - e.g. for saving resampled images...
I wonder what is the best permissions setting for the files and folders in assets/ to solve that problem.
you read so many different things when you google...
can I just chmod the whole assets folder and its contents to 0777?
or do files and folders need different permissions?
is there an recommendation for Owner and Group?
can I have "dangerous" settings?
Rule of thumb:
Stuff the webserver needs to write (assets/, silverstripe-cache/) need to be writable by the server
Stuff the webserver needs to read (framework, cms, modules, custom code,...) should only be readable by the server
chmod 777 will work for the writeable parts, but you might want to set the folder's owner to the webserver's user (www-data, nobody, or whatever this is on your system) plus chmod 755 to avoid global write permissions.
See if your hosting provider will install the mod_suphp (suPHP) Apache module, then you don't have to worry about setting dangerous folder permissions: http://www.suphp.org/Home.html
Related
I am setting up a multimedia server on Debian 8.
I installed both Plex and Owncloud. I have set up /var/media as my Owncloud default folder. I decided to create a folder Library at the root of Owncloud. So the folder path is:
/var/media/admin/files/Library
I changed the permissions of media with:
chmod 770 -R /var/media
On top of that, all the files in /var/media are owned by www-data:www-data.
In order to make Plex see my medias, I have added the user plex to the group www-data. I would like to create a library watching my /var/media/admin/files/Library folder but I have a problem, Plex doesn't see neither the files or folders in /var/media. Here is a screenshot:
To finish, I have tried to connect on my server via ssh with the plex user, and it sees files and folders inside /var/media.
What am I doing wrong? Maybe it is not a permission issue?
Thanks
Update
If I change the ownership of /var/media to plex:www-data, it works. But I can't understand why it doesn't work for www-data:www-data. So it is well a permissions issue.
If I launch id plex, I have:
uid=107(plex) gid=33(www-data) groups=33(www-data)
Just to remind, here are the permissions of /var/media folder (full permissions for group...):
drwxrwx--- 4 www-data www-data 4096 Oct 30 09:01 media
I assume from your post that Plex, Linux OS, and your media are all contained on the same machine and that there are no separate computing devices being used here as that would mean additional steps are required.
In all likelyhood, plex won't be able to list your files because the mode 777 is required to list files in a directory even if the files themselves are set more restrictively than 777 e.g. 750. From what I can tell, your chmod command has set all the directory permissions to 770 which would break the listing capability. As it happens I've just yesterday written a guide over on Tech-KnowHow that covers this, and within that I have described how to set all your folders to 777 and your files to something else. That way it works with plex (and other systems for that matter). I've essentially chosen the same solutions as you in that I use the group to assign the permissions and make sure the everyone / other mode is set to apply no permissions.
There's a direct link to the article below, you'll need to click on the implementation page and look for the find command under the 'Apply correct modes' heading. I've also included how to keep your ownership consistent through samba which is useful when copying new files across. Let me know how that goes in the comments and I'll help you out where I can while it's still fresh in my mind. Good luck!
https://www.tech-knowhow.com/2016/03/how-to-plex-permissions-linux/
I know it is an old post, but I had the same issue and this was my solution :
After a
sudo service plexmediaserver status
I found the file used to launch the plex service /lib/systemd/system/plexmediaserver.service. This file contains the user and group which are used by plex.
So we can change the line Group=plex by your group.
PS: do not forget to restart the plex service with
sudo service plexmediaserver restart
I've just installed Concrete 5 CMS by following the instructions on the website.
The folders application/files/, application/config/, packages/ and
updates/ will need to be writable by the web server process. This can
mean that the folders will need to be "world writable", depending on
your hosting environment. If your server supports running as
suexec/phpsuexec, the files should be owned by your user account, and
set as 755 on all of them. That means that your web server process can
do anything it likes to them, but nothing else can (although everyone
can view them, which is expected.) If this isn't possible, another
good option is to set the apache user (either "apache" or "nobody") as
having full rights to these file. If neither are possible, chmod 777
to files/ and all items within (e.g. chmod -R 777 file/*)
The packages folder has permission 777 and root/tmp folder has permission 755.
I've uploaded a new theme to /packages over FTP. When I try to install the new theme I see the following error:
An unexpected error occurred. fopen(/root/tmp/1419851019.zip) [function.fopen]: failed to open stream:
Permission denied
I have FTP access to the server and access to CPanel. How do I get this working without granting too many permissions which pose a security risk?
My install has the folders application/files, application/config, packages, and updates all set to 755 and it's working just fine.
You get that error because the system is trying to write to /root/tmp, which apparently is the environment configuration for a temp folder when your PHP request is handled.
Try adding the folder application/files/tmp in your file system (within your concrete5 installation). And then make sure that the user can write to that folder that is running PHP in your environment. As explained in the concrete5's own documentation (that you linked originally), it depends on your server which user this is.
Usually in shared hosting environments it's the same as the account you use to login there through SSH or FTP. In these cases, the 755 permissions should be enough if your own user owns the tmp folder you just created.
the default install of apache in CentOS or RHEL, looking at file system permissions for html directory in /var/www/
drwxr-xr-x. 2 root root 4096 Aug 13 2013 html
My website works, and I have no issues with it, however I would like to know why and when do we need to set the directory to apache:apache?
Thank you
Since Apache is not running as root (presumably, hopefully), it only has read permissions on the directory as part of the last o=rx. This is a good default, since it means that it cannot alter the directory, only passively read and serve files from it. Everything running under an Apache process (e.g. mod_php) thereby has the same restrictions. That prevents a lot of common rookie exploits, like allowing uploads of .php files into a public web folder; because Apache/PHP cannot write into the web folder.
You should assign directories that Apache/PHP/CGI should explicitly be able to write into to apache/www-data (depending on your OS/configuration). It's not typically a good idea to do this with any directory under /var/www, you should leave that read-only as much as possible. However, adding an application-specific folder to something like /usr/local/var/<my website> with write permissions for Apache and selectively sym-linking or mod_rewriting to it is fine.
When your website need permission to modify direction/file on web app folder, you have 2 choices: 1) chmod folder to 777/666 or 2) change owner of these folders/files to apache
Sometimes, change owner is prefer to chmod because of security reason.
As we all know that with shared web hosting other users (websites) files could be revealed to others if 'others' have the (read) permission .
I think 0700 or 0711 permission is the best way( in shared hosting) to protect important files the contain secret information .
I suppose that the server is using suPHP or any similar module so that keep the UID of the process is the same as the owner of the files being accessed.
So what do you say ?
You are correct. 700 would ensure nobody can read/write/execute that file, except the owner. So that would be good enough! In case it is to be executed, 711, else, 700.
However, if some operation involving that file fails, you should consider 711.
EDIT:
As you have mentioned, if it contains a connection string, you can safely assume that nobody needs to be given write privileges, and give everyone execute privileges.
So, 511(which is r_x __x __x) should do it.
You'll need execution rights only for directories, if your files are PHP source files you certainly do not need execution rights.
0640 and 2750 are usualy good rights for respectively Files and Directories (the 2 in the directory rights make the new files inherit user & group of the directory).
That is for files:
-rw-r-----
And directories
drwxr-s---
Which is right if the webserver is using the group rights and the FTP-or-such user being the owner. With Suexec and such you could maybe adjust these settings depending of who is the owner and who is the web reader (user? group?), the web reader does not need write access, except maybe on some specific directories depending on the application.
And do not forget files & directories rights are only one point in separation of user in a shared envirronment. For PHP envirronments using per-user open_basedir settings, temporary files and upload directories and per-user session directories is always a good idea (that can be defined in per-user virtualhosts).
im working with cms made simple.my problem is my template folder permission.in this cms when a template uploaded,a folder (by the same name of that temlate,for example : 'TEMP1') creates and it's permission is set to 0755.when i want to change permission of the template folder i will get this error :
FileOp Failure on: /home/visamast/public_html/uploads/arty1: Operation not permitted
and also when i want to upload files via ftp or cpanel to this folder nothing will happen,i mean the upload process will be done,but no files has been uploaded!!!!!!!!
how can i fix this problem?!
It sound like you are having an ownership problem rather than a permission problem. If your server is set up to run PHP as a module, files and directories created by PHP will be owned by the generic Apache user. Generally that means that you will not be able to change permissions on the file/directory. Most likely you will need to have your hosting company do a recursive chown on the entire directory tree your site is in to make you the owner of all of the files and directories.