LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-30-2011, 09:50 AM   #1
X-Rayden
LQ Newbie
 
Registered: May 2008
Posts: 17

Rep: Reputation: 0
ssh + apache permissions


Hi, I read about permissions and everytime try to implement... it's not working!

we have dev web server on apache. (centos 5.7 32 bits)
we use 2 cms in particular that writes files in some folders, websitebaker and opencart.

they both work on our server, but we need to make folder chmod 0777 to work, and even then, we got some "session permisions failed" sometimes.

I wanted to :
create a ssh user with granted permission in our /var/www/* folder
and apache should have thoses permissions too.

but when i go with the ssh user i've made, it changes ownership and apache can't touch the files, or we can't modify the files because they are owned by apache.

maybe i'm wrong, but how can i have a ssh user that got the sames permission as apache on the same folder to be able to give this as sftp to my coworkers ?

- i do not want FTP
- i do not want chmod 0777 since this server is open to the world.
- i want a simple webdev user that connect throught ssh (sftp)
 
Old 11-30-2011, 11:39 AM   #2
klearview
Member
 
Registered: Aug 2006
Location: London
Distribution: Debian, Kubuntu
Posts: 572

Rep: Reputation: 75
This a Debian-based example and you'll have to adjust your apache user name accordingly:

Create a group, let's call it 'web' in this example:

Quote:
sudo addgroup web
Add Apache to that group (on Debian Apache runs under www-data user, change for whatever it is on CentOS):

Quote:
sudo usermod -a -G web www-data
Add your ssh user to that group too:

Quote:
sudo usermod -a -G web your_ssh_user_name
Go to your web directory, wherever it is:

Quote:
cd /var/www
Change ownership of everything to user your_ssh_user_name and group web:

Quote:
sudo chown -R your_ssh_user_name:web .
Add write permissions to those directories/files that Apache needs to write to:

Quote:
chmod g+w tmp
Quote:
chmod -R g+w cache
Add 'sticky' bit to directories for the group so all the files created by ssh user or Apache belong to the group:

Quote:
find . -type d -exec chmod g+s {} \;
Optionally remove all permissions for 'others':

chmod -R o-rwx .

You are done.
 
1 members found this post helpful.
Old 12-05-2011, 02:35 PM   #3
X-Rayden
LQ Newbie
 
Registered: May 2008
Posts: 17

Original Poster
Rep: Reputation: 0
thanks a lot, some little change in the code for centos,
sudo is not nessessary in root, and it's groupadd and useradd instead of addgroup and adduser
 
Old 12-06-2011, 11:07 AM   #4
X-Rayden
LQ Newbie
 
Registered: May 2008
Posts: 17

Original Poster
Rep: Reputation: 0
I talk too fast....

when 1 logged with my user webadmin (group web), i installed the cms, the cms runs perfectly than create a file, i was logged as webadmin, check the file, was owned by apache:web so, same group as me, tried to update it... permissions fails
 
Old 12-06-2011, 05:57 PM   #5
klearview
Member
 
Registered: Aug 2006
Location: London
Distribution: Debian, Kubuntu
Posts: 572

Rep: Reputation: 75
How was that file created?
 
Old 12-07-2011, 11:31 AM   #6
X-Rayden
LQ Newbie
 
Registered: May 2008
Posts: 17

Original Poster
Rep: Reputation: 0
we use WebsiteBaker cms, to install a module or template we give him a .zip, he unzip it to the specified directory, then he can use it, but webadmin can't

but if webadmin do a folder, apache can use it.
 
Old 12-07-2011, 12:22 PM   #7
klearview
Member
 
Registered: Aug 2006
Location: London
Distribution: Debian, Kubuntu
Posts: 572

Rep: Reputation: 75
Quote:
Originally Posted by X-Rayden View Post
...we give him a .zip, he unzip it to the specified directory, then he can use it...
I've no idea who 'he' is so I'm going to assume that the following happens - you upload a .zip file through a web interface of your CMS which then gets installed by the CMS as a module. If my assumption is correct then here is what's happening:

When you upload anything through web interface any files written to the filesystem are written by a web server hence these files belong to 'apache'.

If you followed instructions above any such files will also belong to a group 'web' because we have set a 'sticky' bit on all directories, forcing all newly created files to inherit the group ownership from the parent directory.

Therefore such files/directories will belong to apache:web. Because the dafault UMASK is 0022, files will have 644 permissions, meaning that users in group 'web' will be able to read them (4) but not write to them.

The same thing happens to files created directly by user 'webadmin', only now files/directories belong to webadmin:web. So for these files Apache (as a member of 'web') will be able to read them but won't be able to, say, create new files in those directories because of your UMASK.

I hope the above make sense.

So if you want, as the 'webadmin' user, to be able to write to files created by Apache you need the following: (a) directories where Apache creates these files must belong to group 'web' and must have 'sticky' bit set (we did this above), (b) both 'webadmin' and 'apache' must be members of group 'web' (we did this too), (c) files that get created must be created writable by the group (6).

To accomplish (c) we must change UMASK with which Apache creates files and directories from 0022 to 0002 (or 0007 as I would do since I don't have any need to give any permissions to 'others').

To change Apache's UMASK on CentOS:

Code:
echo "umask 002" >> /etc/sysconfig/httpd
(or "umask 007")

Code:
service httpd restart
Don't forget that all those files that have already been created won't be changed so you'll need to change group write permissions for them yourself with 'chmod g+w'

Hope this helps.
 
1 members found this post helpful.
Old 12-08-2011, 04:38 PM   #8
X-Rayden
LQ Newbie
 
Registered: May 2008
Posts: 17

Original Poster
Rep: Reputation: 0
I understan the umask, but souldn't i umasked the folder i want instead of httpd? and i have to make this AS webadmin or root ?
 
Old 12-08-2011, 05:30 PM   #9
klearview
Member
 
Registered: Aug 2006
Location: London
Distribution: Debian, Kubuntu
Posts: 572

Rep: Reputation: 75
Quote:
Originally Posted by X-Rayden View Post
I understan the umask, but souldn't i umasked the folder i want instead of httpd? and i have to make this AS webadmin or root ?
You can't set umask per folder, it doesn't work that way. UMASK can only be set for users.

To change Apache's UMASK you need to be root.

I think it would help you a great deal to read up on Linux file permissions, users and groups - there are plenty of general articles on the subject on the Net that can give you a good overview.
 
  


Reply

Tags
apache, chmod, ssh+webhosting webhosting


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Lack basic understanding of permissions(apache permissions problem) cK` Linux - Newbie 7 04-08-2010 11:49 PM
Setup permissions for SSH access to apache maxmil Linux - Server 5 02-26-2010 08:41 AM
Apache file permissions problem. {Apache/2.2.6 Fedora 8} hacker supreme Linux - Server 5 01-31-2008 03:26 PM
Q: backups via SSH with roadblock because of APACHE permissions darkus Linux - Newbie 1 06-14-2007 03:57 PM
[SSH] Issue logging in [SSH & Permissions] MD3 Linux - Networking 11 12-10-2006 09:25 AM


All times are GMT -5. The time now is 12:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration