I have created a simple php page on var/www/tuto director, but when I'm trying to open this page (this is it's URL : http://localhost/tuto/index.php ) I got this message :
Forbidden
You don't have permission to access /tuto/index.php on this server.
Apache/2.2.22 (Ubuntu) Server at localhost Port 80
The tuto directory has aimad as group and owner.
The drwx------ means only you have read/write/execute permission on the directory.
d means the node is directory
r(4) means read permission
w(2) means write permission
x(1) means execute permission
The order for permissions is user, group, world.
To fix that you'll need to correct the permissions so apache can read from it. This is done with this command.
chmod -R 755 /var/www/tuto
user: 7 = r + w + x
group: 5 = r + x
world: 5 = r + x
It will set the correct permission for the directory and everything inside.
An even better approach would be to change the directory's group to www-data which apache uses on Ubuntu and then set the permissions to allow the group.
chown -R aimad:www-data /var/www/tuto
chmod -R 750 /var/www/tuto
To get a better understanding of how permissions work look at the Wikipedia page.
http://en.wikipedia.org/wiki/Filesystem_permissions
Related
I have been asked to look at a wordpress site that is on google cloud - the Wordpress admin works fine - the front end of the site doesn't show the css
I believe it to be a file permission issue
Replicating the site and placing it on a different server with correct wordpress file permissions it works fine.
However on google cloud I have issues with trying to change the file permissions.
I have ftp access using Filezilla but can't change file permissions that way and if I try to use the apache ssh console to change file permissions that wont apply either.
So looking at the owner of the folder var/www/html and the group it is showing as www-data not root - so first question is what should be the correct owner and group ?
To change folder & file permissions and ownership do the following.
SSH into the VM, google cloud provide a SSH browser based terminal.
SSH will open a linux terminal, if you are root user no need to type 'sudo' for the following commands.
Type 'sudo vim /etc/apache2/envvars'
read what the config file says, defaults are:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
Exit the config file back to the linux terminal command line.
Type the following commands to give Apache appropriate User and Group permissions in the public wordpress directory, change user and group name as appropriate
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
You can now exit the SSH terminal. Note if you want to see the new permissions in FileZilla press F5 to refresh FileZilla.
Problem
I am confused about rsync daemon and permissions. Unfortunately I cannot figure out why I get
rsync: opendir "/." (in share) failed: Permission denied (13) and
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1650) [generator=3.1.2].
Obviously, by searching the web and looking into the manpage of rsync / rsyncd.conf I was not able to solve this issue.
Setup
Here is my /etc/rsyncd.conf owned by root with 644 permissions:
log file = /var/log/rsyncd.log
[share]
comment = data
path = /path/to/data
uid = root
gid = root
read only = false
auth users = syncuser
secrets file = /etc/rsyncd.secrets
Note, /path/to/data is owned by root with 755 permissions (though random user or syncuser is also not working).
Besides, /etc/rsyncd.secrets has 600 permissions and is owned by root (I also tried 400 though same issue)
syncuser:passwd
To start the service (on CentOS7)
sudo systemctl start rsyncd
A first test as a random user on the host machine running the daemon, (also running with sudo or as syncuser has no effect)
rsync user#host::
returns share data showing that the configuration is fine?!
However
rsync user#host::share
leads to the errors mentioned above.
Tries
Playing with chmod (777) and chown (root:root, random user:user, syncuser:syncuser) of /path/to/data was not changing anything. Moreover I varied uid and gid to nobody but also without success.
Running above rsync command on an actual client, from which I want to ultimately copy data to the host is of course also failing.
So what am I missing here? Any hints are of course highly appreciated.
could you check SELinux?
If it is enforced, the directory /path/to/data need to be labeled correctly.
For example,
chcon -R -t public_content_t /path/to/data
I have samba services (v 4.3.9) set up on a development web server. For simplicity sake, I have a folder "/samba/billfolder" that requires access from the web service AND my samba users. When a samba user creates a file or folder, the permissions are not properly set and the web service cannot access the file / folder. I need a folder that I can create folders and files that will give full permissions to both groups
My smb.conf look like this:
[global]
workgroup = MYDOMAIN.LOCAL
server string = Samba Server %v
netbios name = TestServer
security = user
#============================ Share Definitions ==============================
[Billing]
path=/samba/billfolder
valid users = #alfdevelopers, #www-data
guest ok = no
writeable = yes
browsable = yes
create mask = 0664
force directory mode = 2775
Can someone please offer some suggestions on how to properly do this. The client machine is LinuxMint and the fstab entry looks like this:
//192.168.1.200/Billing /mnt/Billing cifs user=myuser,password=mypassword,rw,iocharset=utf8 0 0
Thanks for any help that can be provided.
Your samba configuration seems correct. File permissions, group permission from the linux filesystem are checked and applied after the inital samba configuration stage.
Create a common group having users from #alpha-developers & www-data say for example #developerswebservices. You can easily add the necessary users to the group using /etc/group file.
developerswebservices:x:xx: user1,user2,www-data
Put users from both the groups as shown above.Go to the working directory of the share i.e Billing
Force the newly created file inside to belong to the group of the parent, i.e Billing,
$sudo chgrp -R developerswebservices Billing
$sudo chmod -R g+s Billing
You can change the permission create mask with the necessary mask bits using the umask command.
test#linuxserver:/$umask 0007
This wil give permission to newly created file to the user test as rw-rw--- for the user test.
Umask allows you to set the default permission bits for a file/directory
creation for a user.
To customize the umask for all users specify the umask bits in the /etc/login.defs file.
Hope this helps ! Thanks.
When creating per-user php5-fpm pools on an Apache mod_fastcgi setup which of the following is the most secure way and efficient way of granting webserver permissions to the PHP pool?
Option 1:
Set the group to www-data:
listen.owner = username
listen.group = www-data
listen.mode = 0660
user = username
group = www-data
While this works files created by PHP would have the ownership set to username:www-data while files uploaded via SCP will have username:username.
Option 2:
Add www-data to the supplementary group username:
listen.owner = username
listen.group = username
listen.mode = 0660
user = username
group = username
-
usermod -aG username www-data
Which of these options are secure? You may also share a better method.
I checked the following guides:
http://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu
http://www.binarytides.com/php-fpm-separate-user-uid-linux/
But they were all written before bug #67060 was discovered and fixed.
I am using following setup on my LEMP (Nginx + PHP-FPM). For Apache this should also be applicable.
PHP-FPM runs several pools as nobody:user1, nobody:user2 ...
Nginx runs as nginx:nginx
User nginx is a member of each user1, user2.. groups:
# usermod -a -G user5 nginx
File permissions:
root:root drwx--x--x /home
user1:user1 drwx--x--- /home/user1 (1)
user1:user1 rwxr-x--- /home/user1/site.com/config.php (2)
user1:user1 drwxrwx--- /home/user1/site.com/uploads (3)
nobody:user1 rw-rw---- /home/user1/site.com/uploads/avatar.gif (4)
(1) User's home dir has no x permission for other, so php-fpm pool running as nobody:user2 will not have access to /home/user1 and vice versa.
(2) php script doesn't have w for group, so it cannot create files in htdocs.
(3) On uploads dir we should manually enable write access for group user1, to enable php script to put files there. Don't forget to disable php handler for uploads, in nginx this is made by
server {
....
location ^~ /uploads/ { }
but for Apache you should check.
(4) uploaded files should also have w for group if we want user1 to be able to edit these files later via ftp or ssh (logging in as user1:user1). Php code is also editable via ftp since user1 is its owner.
Nginx will have read access to all users and write access to all user's uploads since user nginx is a member of each user1, user2, ... groups.
You should not forget to add it to all later groups. You can also modify useradd script to do it automatically.
Setup:
Websites are setup as users in /home/
Website users restricted to home directories as /home/websiteuser/ is
owned by root
Website users are part of the websites group
www-data is part of the websites group
Virtual host points to: /home/websiteuser/html/
/home/websiteuser/html/ is set to -R 755
Files inside /html/ are owned by websiteuser:websites
Website user is used to access website via sftp
Everything works great except apache requires us to recursively chmod 777 the /home/websiteuser/html/files/ directory or images won’t display and the CMS can’t write it’s mysql backups.
The website user owns the files so the sftp access works but do I have to make www-data own the files - or is there a way where sftp login works and apache can still have access as well?
We've seen many questions around this but don’t understand the answers sorry - any help would be much appreciated.
Cheers
We've solved this by making a "websites" group and adding the apache user (www-data) to this group like this (must be done as root - switch to root with $ su root or use sudo in front of the commands like this $ sudo useradd username:
Add a new group - this will be the name of the group used for all websites:
$ addgroup websites
List groups to check it was created
$ getent websites
Add the apache user to the websites-group so apache has access to run the websites
$ usermod -G websites www-data
Check www-data is part of the websites-group:
$ grep '^ websites' /etc/group
Add a new website user (this will be the user used to run the website)
$ useradd username
Give the user a password
$ passwd username
Follow the prompts to add a password
Add website user to websites group
$ usermod -G websites username
Create a new directory for the user to serve websites from:
$ mkdir /home/username
The owner of the website directory must be root or sftp will fail
Make root the owner and group of website user’s home directory:
$ chown root:websites /home/username
Give website user limited access to their home directory:
$ chmod 750 /home/username
Move into the website user’s directory:
$ cd /home/username
Make a web root directory (this is the opublic directory where the website's files will live):
$ mkdir html
Give website user owner:group on web root:
$ chown username:websites html
Change permissions on the html directory:
$ chmod 750 html
Copy all the website's files into the html directory
Recursively set ownership on all files within the web-root
$ chown -R username:ssb-websites html
Recursively set premissions on all files within the web-root (owner and group have read, write, execute permissions):
$ chmod -R 770 html
Recursively set permissions on all files within web-root:
$ chmod 644 $(find . ! -type d)
If having issues, make sure directory permissions are set like this (the top-level website directory /home/username/ must be owned by root or sFTP access won't work):
/home/username | drwxr-x--- | root:websites
/home/username/html | drwxr-x--- | username:websites
/home/username/html/directories/ | drwxrwx--- | username:websites
/home/username/html/files.html | -rw-r--r-- | username:websites
We're designers so this is the way we worked it out, if anyone can see improvements, feel free to edit!