Ok. Im little bit confused about those permissions in linux so please people help me out. The trouble is that I dont want to run server as root, so I created another user with sudo privileges so he runs the nginx and php-fpm servers (example "sudo_user"). But the trouble is for example I have "some_user" and he has a directory of his web-site "some_user/www.some_user.com" with all the configuration files, including database passwords and so on. I set ownership of all files to some_user:some_user (user:group) and changed permissions to all files 751 (u=rwx,g=rx,o=x so other accounts cant just go in this dir and read every config file) and set to public files permission 755. But my php-fpm runs with "sudo_user" with a group "sudo_user" he don't have a permission to write or read config files in "some_user" directory. What strategy should I take?
Its probably better to create an nginx user and nginx group, and have nginx/php run under that user. Then you can add the user nginx to your some_user/sudo_user's groups with your 751 permissions and you should be set.
Related
I'm new to WHM, cPanel, and CentOS.
I install WHM then create an account for domain app.example.com and user peter
I point the domain name to right IP address but when I run my website app.example.com I got HTTP ERROR 500
Via SSH I log into the server and I find my previous uploaded code into
/home/peter/public_html
Then I run command sudo chown -R peter:peter /home/peter/public_html
and when I look at folders permission and owner they looks like:
I think my HTTP ERROR 500 is about user permission.
Can please help me to add right privileges to a user or what I need to do to my public_html folder be visible to the world (at browser).
What I need to do?
The best thing to know if it's a permissions problem, a bug in the programming of the web application or to see what really happens, is that you look at the log file of the web server (apache, nginx, the one you use). The log will give you more clues. Could you copy the log output when the error occurs?
It seems some required extensions were not activate or had been removed from your VPS. You should check and install/activate them. Then you can test your website again.
P.S: Sorry for my bad english
I've just installed Concrete 5 CMS by following the instructions on the website.
The folders application/files/, application/config/, packages/ and
updates/ will need to be writable by the web server process. This can
mean that the folders will need to be "world writable", depending on
your hosting environment. If your server supports running as
suexec/phpsuexec, the files should be owned by your user account, and
set as 755 on all of them. That means that your web server process can
do anything it likes to them, but nothing else can (although everyone
can view them, which is expected.) If this isn't possible, another
good option is to set the apache user (either "apache" or "nobody") as
having full rights to these file. If neither are possible, chmod 777
to files/ and all items within (e.g. chmod -R 777 file/*)
The packages folder has permission 777 and root/tmp folder has permission 755.
I've uploaded a new theme to /packages over FTP. When I try to install the new theme I see the following error:
An unexpected error occurred. fopen(/root/tmp/1419851019.zip) [function.fopen]: failed to open stream:
Permission denied
I have FTP access to the server and access to CPanel. How do I get this working without granting too many permissions which pose a security risk?
My install has the folders application/files, application/config, packages, and updates all set to 755 and it's working just fine.
You get that error because the system is trying to write to /root/tmp, which apparently is the environment configuration for a temp folder when your PHP request is handled.
Try adding the folder application/files/tmp in your file system (within your concrete5 installation). And then make sure that the user can write to that folder that is running PHP in your environment. As explained in the concrete5's own documentation (that you linked originally), it depends on your server which user this is.
Usually in shared hosting environments it's the same as the account you use to login there through SSH or FTP. In these cases, the 755 permissions should be enough if your own user owns the tmp folder you just created.
the default install of apache in CentOS or RHEL, looking at file system permissions for html directory in /var/www/
drwxr-xr-x. 2 root root 4096 Aug 13 2013 html
My website works, and I have no issues with it, however I would like to know why and when do we need to set the directory to apache:apache?
Thank you
Since Apache is not running as root (presumably, hopefully), it only has read permissions on the directory as part of the last o=rx. This is a good default, since it means that it cannot alter the directory, only passively read and serve files from it. Everything running under an Apache process (e.g. mod_php) thereby has the same restrictions. That prevents a lot of common rookie exploits, like allowing uploads of .php files into a public web folder; because Apache/PHP cannot write into the web folder.
You should assign directories that Apache/PHP/CGI should explicitly be able to write into to apache/www-data (depending on your OS/configuration). It's not typically a good idea to do this with any directory under /var/www, you should leave that read-only as much as possible. However, adding an application-specific folder to something like /usr/local/var/<my website> with write permissions for Apache and selectively sym-linking or mod_rewriting to it is fine.
When your website need permission to modify direction/file on web app folder, you have 2 choices: 1) chmod folder to 777/666 or 2) change owner of these folders/files to apache
Sometimes, change owner is prefer to chmod because of security reason.
Our server is running under CentOS 6 and handled over Panel Plesk 10.4.4. Structure of folders and files is created using php script. Then, when accessing through FTP we are unable to modify these folder contents previously created. When accessing it over Apache web user works without exception but not over ftp. Folders and files have 755 and 644 rights respectively. How to enable ftp acces? Thank you
EDIT: problem is that file owner and ftp are not the same but I do not know exactly how and where to attach it.
File and folders owner is psacln (gid 502) and group is apache (gid 503). Ftp users are not the same.
We add a login ftp user (also system one) to the group owner of files and folders "psacln" using usermod -a -G psacln ftpusername. Same procedure with apache group but problem persists.
The problem here would be that you probably run your site in mod_php mode. In this mode scripts are operated under Apache privileges, so all files and directories created are owned by Apache. This way the files cannot be accessed by your FTP user unless you set up 777 or 666 permissions.
I think your options could be
switch to FastCGI mode of PHP. Depending on your Plesk account privileges, you can either do it yourself in Plesk UI or will have to ask hosting provider for that.
This way your script will be operated under user privileges (same as FTP user) and there will be no problems with accessing these files through FTP. Also this option is often considered more secure.
make PHP script setting 777 permissions on your folders and 666 permissions on your files. It means you allow to modify them by everyone (so called "others"). So FTP user can modify these files as well. While this may sound insecure, but practically these files are already can be accessed from any other site on that system (if it is shared hosting server). So I don't think it will be any more insecure than the current status.
Regards
I have not used phing before, but would like to use it to automate my deployment process. Currently I log in under myuser, Apache runs under www-data. All my application code is owned by myuser, but other (cache) files are generated by www-data.
I currently solve this by using sudo to remove these files. I would like to keep the application code owned by myuser, because it's easier to access the files via ssh. I wouldn't like phing to run with super powers, because at this moment I don't trust this automated tool yet.
What is the best practice to use phing with limited file permissions?
I had the same issue. Apache is running as www-data.www.data and files created by the webserver are 644 and directories 755.
I solved it by:
adding the user running phing to the www-data group
adding umask 002 to the /etc/apache2/envvar file, see link
Phing is now able to remove the directories and files created by the apache
As I understand it the problem is that phing can't do anything with the cache files since they were created by your Apache user (www-data) and you are running phing as myuser. It sounds to me like you just need to change the permissions on the cache files so that myuser has full permissions. How to do this will depend on how your application is written, but something along the lines of chmod/chowning'ing the files after creation or creating them with a umask allowing myuser permissions.