LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-07-2012, 01:18 PM   #1
nomenclator
LQ Newbie
 
Registered: Oct 2004
Location: Eastern Long Island, New York, United States
Posts: 26

Rep: Reputation: 15
Group that owns a directory


How come when I make a directory on my shared web server at a web hosting company, and I look at the ownership of the files and directories (making a ssh connection and doing ls-l) I see that most of the directories are owned by my user name, and a group (with the same name) but the directories that I have made into subdomains, with cPanel - the group that owns these directories has been changed to "nobody." ??

They directories have the same permissions drwxr-xr-x.

My username there is soilman. So username soilman, group name soilman for ordinary directories, username soilman group name nobody, for directories that have become subdomains. Yet I can access the directories owned by nobody, just the same as I can access those owned by soilman — even though soilman doesn't belong to the nobody group.

Is this because soilman has permission, so the group that soilman belongs to doesn't need permission? If so, why does cpanel bother changing the group ownership on the directories that function as subdomains - to the nobody group?

I've been reading up on what the (pre-set) nobody group is, but I'm still confused.

Last edited by nomenclator; 04-07-2012 at 01:26 PM.
 
Old 04-07-2012, 05:45 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,908

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
Quote:
I can access the directories owned by nobody, just the same as I can access those owned by soilman — even though soilman doesn't belong to the nobody group.
Quote:
the group that owns these directories has been changed to "nobody." ??
Quote:
the directories that I have made into subdomains, with cPanel - the group that owns these directories has been changed to "nobody." ??
This is why soilman can access them all. Soilman is the OWNER. Regardless whose names are in the soilman GROUP, soilman can access them at any time.
The names in the group identify users other than soilman who may also access the directories.
 
Old 04-07-2012, 06:33 PM   #3
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 374Reputation: 374Reputation: 374Reputation: 374
Quote:
Originally Posted by nomenclator
If so, why does cpanel bother changing the group ownership on the directories that function as subdomains - to the nobody group?
You haven't mentioned what files are contained in those subdirectories. I'll assume they are HTML/PHP-type files.

To answer your question, it's probably because the server has configured the webserver process to run as group "nobody." The webserver needs access to the files to serve them. So, rather than requiring you to make your files publicly readable, they force your web/domain directories to a single group ownership: nobody. That way, the webserver can serve the page, you can access the files as your user account, but all other users are denied access (unless you explicitly grant it to them).
 
Old 04-08-2012, 11:11 AM   #4
nomenclator
LQ Newbie
 
Registered: Oct 2004
Location: Eastern Long Island, New York, United States
Posts: 26

Original Poster
Rep: Reputation: 15
OK, thanks bigrigdriver. That clarified it for me.

Quote:
Originally Posted by Dark_Helmet View Post
You haven't mentioned what files are contained in those subdirectories. I'll assume they are HTML/PHP-type files.

To answer your question, it's probably because the server has configured the webserver process to run as group "nobody." The webserver needs access to the files to serve them. So, rather than requiring you to make your files publicly readable, they force your web/domain directories to a single group ownership: nobody. That way, the webserver can serve the page, you can access the files as your user account, but all other users are denied access (unless you explicitly grant it to them).
Yes, there are html and maybe some php files in those directories. Also some pl files.

OK. There are 3 sets of permissions for a directory (or file), one for the user that "owns" it, one for the group that owns it, and one for anyone and everyone else. Permissions are drwx r-x r-x. The directory is already publicly readable, because the permissions for everyone else have been set to r-x (read yes, write no, execute yes). Is that not correct? And therefore the webserver can already serve them to anybody, for the purpose of reading them or executing them (but not writing to them - only user soilman, can write to them). Is that not correct? Group nobody is configured to be able to read and execute but not write. So what difference does it make what group nobody is able to do, if user soilman is the only user.

I'm still a little confused on what the nobody group encompasses. If there are no other users, except me, it should make no difference what group has ownership. As long as user soilman has ownership, he (me) can do whatever he wants. And I've set things up so that everyone else can read and execute what's in the directory. So why does cpanel bother changing the group ownership from the soilman group to the nobody group, when the directory becomes used as a subdomain? By the way, maybe I'm wrong but I'm guessing the soilman group is a group that user soilman is able to add users to, in addition to himself.

I'm not sure what you mean by "run as group..."

I suppose I should try to telnet into my account and see if there is some way to change the group that a file or a directory is owned by, and check whether the subdomain can still be accessed over the web, if I change the group from nobody to soilman. Not sure how to change group ownership. I'll have to look it up. It may take me a few days to figure it out.

by the way, my attempts to list only directories, with ls -l -d, aren't working. Only the current directory ( . ) gets listed. I should mention that public_html also belongs to the group nobody. Yet most of its subdirectories belong to group soilman.

Last edited by nomenclator; 04-08-2012 at 11:36 AM.
 
Old 04-08-2012, 11:29 AM   #5
nomenclator
LQ Newbie
 
Registered: Oct 2004
Location: Eastern Long Island, New York, United States
Posts: 26

Original Poster
Rep: Reputation: 15
OK, I used chown to change the group that has ownership of the teeth directory - change it from nobody to soilman (this is just a directory that i'm using as a learning tool so it doesn't matter if it disappears from the web for awhile). I can still access http://teeth.shakahara.com in my web browser (in addition to http://shakahara.com/teeth, so I don't understand why cPanel bothered to change the group owner from soilman to nobody when it configured shakahara.com/teeth as the teeth.shakahara.com subdomain.

Last edited by nomenclator; 04-08-2012 at 11:44 AM.
 
Old 04-08-2012, 11:56 AM   #6
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 374Reputation: 374Reputation: 374Reputation: 374
I'm going to do a lot of one- or two-line quotes from your reply because there are lots of things I want to bring up. It'll be easier for me to keep track that way. But, I'll be jumping around--they won't be in order of how they were written in your reply. Just a heads up to limit any "what the ___ is this guy doing??"

Quote:
by the way, my attempts to list only directories, with ls -l -d, aren't working. Only the current directory ( . ) gets listed.
Have you listed the directories in your command? For instance, a terminal session from my machine:
Code:
user@localhost$ ls -l
total 16
drwxr-xr-x 2 user user 4096 Apr  7 22:08 orig
-rw-r--r-- 1 user user  678 Apr  7 22:04 testfile.txt
-rw-r--r-- 1 user user  521 Apr  7 22:04 testfile.txt.orig
-rw-r--r-- 1 user user  505 Apr  7 22:04 testfile.txt.rej
user@localhost$ ls -ld
drwxr-xr-x 3 user user 4096 Apr  7 22:04 .
user@localhost$ ls -ld orig
drwxr-xr-x 2 user user 4096 Apr  7 22:08 orig
user@localhost$ ls -ld *
drwxr-xr-x 2 user user 4096 Apr  7 22:08 orig
-rw-r--r-- 1 user user  678 Apr  7 22:04 testfile.txt
-rw-r--r-- 1 user user  521 Apr  7 22:04 testfile.txt.orig
-rw-r--r-- 1 user user  505 Apr  7 22:04 testfile.txt.rej
Quote:
And I've set things up so that everyone else can read and execute what's in the directory
You have a misconception in there. The execute permission bit on a directory is not the same as allowing that class of user the ability to execute a file within the directory. The execute bit on a directory is a permission to "traverse" the directory. From Wikipedia: File Permissions:
Quote:
The execute permission, ... [w]hen set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see the content of files inside the directory (unless read is set).
The execution of any specific file is controlled by that specific file's execution permissions.

Quote:
I'm not sure what you mean by "run as group..."
Whenever a process runs on a system, it must run with an owner and group. When you run ls, the ls process is assigned an owner (your user account: soilman) and a group (your currently active/primary group: likely soilman). These assignments determine what the program can access via the permission bits you're discussing.

Your user account did not start/initiate the web server process--system startup did. System startup processes are essentially run by "root." Running a service as root (owner) and root (group) is almost universally considered a bad idea. If the program misbehaves (either intentionally--malware--or unintentionally--a bug), it can do considerable damage to the system because, as root-root, it can do anything it wants.

To limit this, most distributions will assign a "run as" configuration for system services. The "run as" configurations determine which user account and group that the process belongs to.

Much more to come in a later reply...
 
Old 04-08-2012, 12:44 PM   #7
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 374Reputation: 374Reputation: 374Reputation: 374
Quote:
By the way, maybe I'm wrong but I'm guessing the soilman group is a group that user soilman is able to add users to, in addition to himself.
The soilman user cannot add users to any group--even to the "soilman" group. Group membership is controlled through root alone.

Quote:
If there are no other users, except me, it should make no difference what group has ownership.
In a broader context (for example, a machine being used by a web hosting company), there are multiple, independent users of the system. One machine could very well be responsible for providing web pages for two competing companies, two organizations that don't like each other, or people who want to snoop on others. The developers of your distribution and the web server (presumably Apache) develop for that particular, broader context. The reason being that, if it can handle multiple, independent users, it can handle a single home user. The drawback (from the user perspective) is that it adds "unnecessary" complexity for a single-user home system.

Keep in mind, once you have multiple, independent users, the user information must be kept separate/private from every other user unless that user wishes to make it public via the "others" permissions. But there also needs to be a way for a single process (the web server) to read the web pages, cgi scripts, images, etc. That's where the group comes in. If all the users have one or more directories owned by a single, specific group, then the web server process can gain access through the group permissions to the directories/files to serve the web page.

If a user wants to let any other user on the system access his/her data, they are free to do so via the "others" permissions. However, they can just as easily deny "others" access entirely while still providing access to the web server via the group. The "others" permissions may change to suit the whim of the user (on a minute-by-minute basis if need be), but the web server will have constant access via the group.

Quote:
OK, I used chown to change the group that has ownership of the teeth directory - change it from nobody to soilman (this is just a directory that i'm using as a learning tool so it doesn't matter if it disappears from the web for awhile). I can still access http://teeth.shakahara.com
Once you changed the directory group, the web server process then fell into the "others" class of user (for purposes of accessing the directories containing the subdomain files). As you said earlier, the permissions for "group" and "others" are identical. So the web server was able to access the files it needed via the "others" permission. If you were to restrict the "others" permissions, you should start seeing permission denied errors (or some such message).
 
Old 04-09-2012, 06:09 PM   #8
nomenclator
LQ Newbie
 
Registered: Oct 2004
Location: Eastern Long Island, New York, United States
Posts: 26

Original Poster
Rep: Reputation: 15
OK, I understood what Dark Helmet said about the execute permission means a different thing for a dir than it means for a file. Traverse the directory. I just read this thru, along w the wiki article, and I understood it. The rest of your comments — I'm not understanding them on the first reading. I'll have to look up some of your phrases. For example in your sentence "have you listed the directories in your command" I didn't understand what you mean by "in your command." It may take me awhile.

I'm not familiar with setting up server-client networks on unix-linux with LDAP or whatever one uses to configure the computers and users. I've set up linux operating systems and given myself root privileges, but haven't set up client-server networks having linux servers. I was somewhat familiar with client-server networks using windows servers and active directory, but I've forgotten a great deal from the MCSA courses I took in 2010. I didn't get a job in the field right away; I didn't find time to repeatedly go over the material every day; every day I forgot more and more. I have extensive notes, but reading them feels like I'm reading something I've never seen before.

In windows, I don't remember anything about an executable, or a process, running as both a user and as a group. I remember setting up groups, and users, and assigning users to groups. Can't remember a lot beyond that. A user could run an executable, or, instead, a user could do a "run-as" when executing a file, thus having the file run under another user. But I dont' remember why anyone would want to do that. In any case I just remember users running processes. If I recall correctly, if file permissions were set up so that members of a group were permitted to run a particular executable file, then any user in that group could run that file. If I recall correctly, a listing or running processes, either in a gui windows or in a command window, showed what user was running it, but reported nothing about any group. So I guess Linux is different, but I'm confused. I don't remember what a list or running processes for a linux computer looks like, or how to call one up. I'll have to look up how to run the list, and run one, but I don't have time to look it up now. It may take me awhile before I can get to it. Yes I have a compputer set up with a linux os but I'm using my windows computer now.

Last edited by nomenclator; 04-09-2012 at 06:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Group share directory permissions Neruocomp Linux - Server 1 07-08-2010 06:33 PM
group directory? abolishtheun Linux - Newbie 19 05-13-2009 07:32 AM
Group permisions on a directory ADxD_7 Solaris / OpenSolaris 7 04-08-2008 12:51 PM
setting a group for new files in a directory eantoranz Linux - Security 2 01-18-2005 01:44 PM
chmod for a group on a certain directory? mfeoli Linux - Newbie 1 02-10-2004 05:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 10:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration