I have a folder in which new subfolders and files will be created automatically, by a script.
I want to maintain the user and group permissions recursively for all new folders and files placed in the parent directory. I know this involves setting a sticky bit, but I can't seem to find a command that shows exactly what I need.
This is what I have done so far:
sudo mkdir -p /path/to/parent
sudo chmod -R 660 myself:somegroup /path/to/parent
Thereafter, I want the 660 permissions to be set recursively to any folders and files placed in /path/to/parent
However, whenever Apache saves a folder/file it assigns it permissions of 700 with user and group set to the apache user. This is NOT what I want. I want all files/subfolders under the parent to have 660 permissions for myself:somegroup.
Actually the octal flag 660 is probably not even correct. The permissions I want are:
Directories placed under /path/to/parent are eXecutable by users with permissions
files are read/writeable by user myself and members of somegroup
Files and folders in /path/to/parent is NOT world readable
Can someone help please?
I am running on Ubuntu 10.0.4 LTS
sudo mkdir -p /path/to/parent
sudo chmod -R 660 myself:somegroup /path/to/parent
erm - not ideal.
If you want new files/dirs created to have the same group ownership you need to set the group sticky bit on directories
find /path/to/parent -type d -exec chmod g+s {};
And you need to make directories executable:
find /path/to/parent -type d -exec chmod ug+x {};
...
However, whenever Apache saves a folder/file it assigns it permissions of 700 with user and group set to the apache user
Then you also need to set the umask (0770) for the executing code (or directly change the permissions) and ensure the apache uid is a member of somegroup. IIRC to set the group sticky bit, umask should be 2770 - but do check the manual.
You can set apache to write new files with specific umask.
Todo so in RedHat/CentOS edit the file /etc/sysconfig/httpd, and change to:
umask 007
In debian/Ubuntu use the file /etc/apache2/envars with the same settings
Related
I'm using Ubuntu on Windows.
I want to take ownership all of the files and folders in the current user profile.
To do that, I call
sudo chown -R USERNAME /
It works, but it also tries to chown all files in folders under "/mnt/".
This means it tries to work on all my Windows folders as well.
I don't want that.
How could I process only the files and folder in the user profile?
Thank you!
Trying to set localhost on my mac and made following changes in /etc/apache2/httpd.conf
DocumentRoot "/Users/xxx/Documents/workspace/firstRepo/htdocs"
<Directory "/Users/xxx/Documents/workspace/firstRepo/htdocs">
I know it's something to do with the dir permission, so I followed suggestions online and ran the following commands:
find /Users/xxx/Documents/workspace -type d -exec chmod 755 {} \;
find /Users/xxx/Documents/workspace -type f -exec chmod 644 {} \;
No luck here. Can someone help me with this? Thanks.
Unix permissions are not just "permissions in destination", you need "search" permissions for the whole path until the last directory as the message from Apache says
Search permissions means, in a simple explanation, "x" is at least missing in directories so the unpriviledged user apache is using can go the whole path until reaching "/Users/xxx/Documents/workspace/firstRepo/htdocs".
You can try this command to make sure you have them:
namei -mol /Users/xxx/Documents/workspace/firstRepo/htdocs
Only other case of not being able to access where permissions are correct is if SELinux is controlling access to those directories.
The Apache wiki has a document about this since many people get confused about how permissions work under Unix. Permissions
this error can be resolved more specific way eg. :
semanage fcontext -a -t httpd_sys_content_t "/var/www/htmlxx(/.*)?"
restorecon -F -R -v /var/www/htmlxx
you may take a look at oracle base article once
I recently set up Lamp stack on ubuntu 14.04 for my web server. I'm working through Digital Ocean. These are the steps I went through...
On local machine I logged in to my web server with
sftp user#web_server_ip
Then
sftp> cd /var/www/html
How would I go upon getting onto my local machine to get the file for the site? And how would I transfer them?
I know that I have to use the [get] and [put] commands
I'm just confused what's considered local/remote? if I'm logged into the remote server on my local machine. Overthinking it?
This is the tutorial I'm trying to follow: How To Use SFTP to Securely Transfer Files with a Remote Server
Edit:
So I tried moving a whole directory from my local machine and this is what I ended up doing
scp -r /path/directory_name name#ip_address:/var/www/html
scp: /var/www/html/portfolio.take7: Permission denied
Should I be changing permission by using sudo prior to scp -r?
Edit2:
I have also tried
Where_directory_is$ scp -r /path/directory_name name#ip_address:/var/www/html
/var/www/html: No such file or directory
It might be easier to start with SCP which allows you to copy files with one command. So for example, if you had a local file /path/filename.css and wanted to transfer it to your server, you could use the following command on your local machine:
scp /path/filename.css username#remote_hostname_or_IP:~
This command copies the local file and transfers it to the home directory of the username on the remote server using SSH. You can then SSH in (ssh username#remote_hostname_or_IP) and then do what you need with the file sitting in your home directory, such as move it to the proper Apache directory.
Once you start to get more comfortable, you can switch to sftp if you like.
Update
Here is how to set up your Apache permissions. Let's say you have an account you on the linux computer running Apache, and we'll say the IP is 192.168.1.100.
On your local machine, create this shell script, secure.sh, and remember shell scripts need to have execute privileges (chmod +x secure.sh). Fill it with the following contents:
#!/usr/bin/env bash
# Lockdown the public web files
find /var/www -exec chown you:www-data {} \;
find /var/www -type d -exec chmod -v 750 {} \;
find /var/www -type f -exec chmod -v 640 {} \;
This shell script is setting the permissions for anything in the /var/www/ directory to be 750 for the directories and 640 for the files. This gives you complete read/write permissions for the files and www-data (which is the account for Apache) read permissions. Run this anytime you have uploaded files to ensure the permissions are always set correctly.
Next, SSH into your remote computer and go to the /var/www/html directory. Ensure that the ownership is not set to root. If it is, scp the secure.sh file into your remote computer, become root and run it. This only needs to be done once, so you can remotely set the permissions.
Now you can copy directly to /var/www/ through the scp -r command on your local computer from the top of the directory you wish to copy to /var/www/html:
scp -r ./ you#192.168.1.100:/var/www/html/
Then run this command to remotely run the secure.sh shell script and send the output to out.txt:
ssh you#192.168.1.100 -p 23815 ./secure.sh > out.txt
Then cat out.txt to see that the file permissions changed accordingly.
If this is a public facing computer, then you must add an SSH key to your scp connection. You can use this tutorial to find out more about generating your own keys, it is quite easy. To use the key, you only need to add -i private_key_file to your scp and ssh commands. Lastly, it would actually be safer to keep the /var/www files as root, SSH into the computer, su to become root, then run secure.sh as root (with the owner changed to root in the shell script). It all depends on the level of security you need to worry about. If it is a development computer (which is what I am assuming) no worries then.
For folders use
scp -r root#yourIp:/home/path/ /pathOfDirectory/
For files
scp -r root#yourIp:/home/path/ /pathOfDirectory/file fileNameCopied
I have a problem whith my installation of docker. When I launch my docker-compose up I have this error :
front_1 | /var/lock/apache2 already exists but is not a directory owned by www-data.
front_1 | Please fix manually. Aborting.
I have this error because I add this line in my dockerfile conf :
RUN usermod -u 1000 www-data
But if I delete this line, my symfony project doesn't work with docker.
Do you have any ideas to solve my problem ?
Best regards
As I see it, you are trying to change UID of user www-data inside docker to have the same ID as host machine user UID (you), so you can open project files in your IDE.
This introduces file permissions problems on apache2 service, which can't read it's own files (config, pid,...), simply because it is not the same user anymore.
Quick 'dirty' solution is to change only owner of symfony project files to UID 1000, but keep group (GID) to the www-data. This applies only for dev machine. Else you don't needed it. Run command inside container.
chown -R 1000:www-data /home/project
You can create some bash alias inside docker to have it at hand.
Other option is to use ACL which will set existing files and folder with permissions, which will get inherited to newly created files under given folder. This could be put to bootstrap script inside container. But only for DEV mode. This way you won't need to run chown.
chown -R 1000:www-data /home/project #set for existing files
/usr/bin/setfacl -R -m u:www-data:rwx -m u:0:rwx -m u:1000:rwx /home/project
/usr/bin/setfacl -dR -m u:www-data:rwx -m u:0:rwx -m u:1000:rwx /home/project
Each -m is for a different user. First is www-data (apache2), second is 0 (root) and third is 1000 (you).
Remember UID can change anytime. So this could create security hole if mentioned users are not having proper UID.
I used second method only for folders, where PHP via apache2 sets permissions (uploaded files, cache,...), but host user needs to access these files.
This is related to "https://stackoverflow.com/questions/36477636/how-do-i-implement-a-shared-hosting-like-service-with-docker".
I am trying to setup a bunch of apache-php containers that should be able to rw to the docroot, and one single sftp container that should also be able to rw to the same directory. So, the plan is to create a shared volume, and mount it inside both containers (obviously in different places when it comes to the sftp container). I modified the official php:7-apache launch script like so:
#!/bin/bash
set -e
### > My stuff
chmod g+s /var/www/html
chown -R :2048 /var/www/html
umask
umask 0002
umask
### < My stuff
# Apache gets grumpy about PID files pre-existing
rm -f /var/run/apache2/apache2.pid
exec apache2 -DFOREGROUND
and in fact the two umask lines confirm that the sandwiched umask 0002 runs correctly. However, when I bash into the container and test this myself, umask returns 022, and if I create any file, they in fact get permissions 644. I can then manually umask 0002 and any new file gets created with permissions 664 (and 775 for directories).
For this use case, it is critical that both containers (sftp and apache) can read and write in the shared volume. So, how do I go about this?