Could someone please explain owner/group/public permissions on files and directories in a web environment.
My current understanding is that "Owner" is the person who created the file.
Group, presumably are permissions granted to any user in Group 'Foo', and Public is, well, everyone.
What I don't quite get is how this translates to a web environment.
Are "Public" users people who visit the site as guests? What about groups? And what are the risks of having a file CHMOD'd to 0777 - what could a public user do with a file if they were given execute permission - surely this is the same as just accessing a script directly (foo.com/bar.php)
hopefully this is clear enough
thanks for any insight.
Your web server is running under a specific user. When someone accesses a file on a server it typically goes through the user associated with the web server. Try writing a script that actually create a new file, see who the owner is.
Related
What has me confused is why a directory or part of my Drupal site to suddenly return the message of "Forbidden" - that I, as first use, cannot access various parts of the site in the admin area. I changed the permission on the default/sites/files directory to 777. That probably is giving to too much access to everyone. However, it was only after doing that, that I got a message of Forbidden - that I don't have access to various parts of the admin area. I am the first user.
I changed the permissions on this directory because when I tried to update some modules, I got an error that file could not be created.
I have cpanel/whm on a dedicated vps server. So, one issue is how to find out what the user and group ownership should be on a server that hosts various domains through cpanel. It appears that for other accounts have user:owner permissions that match the account name. I am not sure if the default group:owner should remain as www-data:www-data for example, on Ubuntu or if cpanel/whm says, "make the apache group and user equal to the account name."
Thanks in advance for any help,
Bruce
First of all, I'm going to assume you're talking about Drupal 7, but really, there's little difference in this case.
Try reading about permissions here
Its very simple that the folder should have user:user ownership and correct permissions with folders having 755 permissions respectively. The server might be running on suphp hence you cannot have wrong user with wrong permissions.
This message appears every time I try to save the data to the DB.
Failed to update database because the database is read only
Note: This error comes only when the application is installed to C drive.
Front End: VB.NET
Back End:SQL Server
Is there any way to overcome this issue?
Or any way to restrict the user from installing the application on C drive?
I would check the file system privileges. I suppose you talk about an SQL server file database. You receive the message because the account trying to access your file database does not have the file system permissions to do so.
In order to confirm my suggestion, you allow everyone to access the specific directory with full permissions.
Then, you have to check what is the account trying to do the actual access. Probably it's a system account (user ASPNET or NETWORK SERVICE). You have to give the respective permissions to the specific account.
Then, restart IIS.
If you want to do this for a distributed stand-alone application. Then these permissions would have to change on each machine where the program would be installed. In order to avoid putting users in such a fuss, the setup program should do it. I am not an expert on setup programs, but even the simplest ones would give you the option to do it, after asking the system adminstrator's approval. I suppose you could build a custom action during the setup program which would change the specific folder's permissions, perhaps by using xcacls.exe.
Hope I helped!
I am new to Joomla and have been given the task of supporting a site that was created in Joomla 1.5.25. They keep getting errors that files are not writable. They also can't add or delete anything to and from the media manager even in a Super Administrator account. I was able to override these errors with changing folder permissions from 755 (Joomla's recommended permission set) to 777, but was wondering if there is a better way of going about this (I don't want to leave a security hole on their site with the 777 permission set). From what I have read through my research is Joomla permissions requirements can vary based on your hosting company, so I want to get other peoples input before I give my hosting company a call.
On a side note, is there a way of getting the error messages to display longer then 2 seconds?
Why don't you try changing the permissions only to the folders that are written to temporarily? Another solution is to find out under which user apache is running and make sure that user is the owner or at least in a group that owns your Joomla! directory.
I have an app that uploads documents to the server through the standard
When sent my application to the production server, I found out that they had the server load balanced. My solution to this was to place the upload directory into a network share and then create a virtual directory pointing to the share.
I have set permissions on the share and the file itself, but I keep getting "access denied" whenever I try to upload a document.
Where could I be missing permissions? Is it possible that IUSR needs to have access to the share?
Thanks.
FYI,
The answer to this solution for me was to setup temporary impersonation with a user account that had access to the share, the folder and the virtual directory.
Here's a link to the code that worked for me:
http://support.microsoft.com/kb/306158#4
I hope your site use anonymous access. Otherwise you will have a painful experience.
If it is so ( anonymous acess), then: The IUSR is a local user on the production servers and not a domain user. So it don't have access the the share. You will have to change that to a domain user ( in the site configuration and not on the application pool). And make sure that the application pool run on a network service ( this is the default ) and it should work.
Chances are that whatever your ASP.Net process is running as does not have access to the share.
So chances are you need to set up an IIS6 application pool to run as a domain user and have that domain user have access rights to the file share.
Don't forget to aspnet_regiis -ga {domainuser} so that the domain user can actually run asp.net applications.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.