LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-08-2006, 01:36 AM   #1
suruchiparimu
LQ Newbie
 
Registered: Feb 2006
Posts: 8

Rep: Reputation: 0
want to avoid 777 permission, but want to write on folder


We have a CMS application that adds files into folders. we would require write rights on that folder for the purpose, but, want to avoid giving 777 rights as the site that the application is content managing is a public site.

Could somebody plz help soon.

Regards,
Suruchi
 
Old 02-08-2006, 02:43 AM   #2
sohny
Member
 
Registered: Aug 2004
Location: bangalore
Distribution: Redhat,Ubuntu
Posts: 64

Rep: Reputation: 15
u could add the users into a group & give write permission for that group.

But still we need more info.

write permission for whom??
for every one??
for just user & group??

u can do any combination of users,group & others
 
Old 02-08-2006, 03:40 AM   #3
sohny
Member
 
Registered: Aug 2004
Location: bangalore
Distribution: Redhat,Ubuntu
Posts: 64

Rep: Reputation: 15
ok got ur mail. I will post here as info for others too.

u want the application to be able to write? U can use the setuid fuction to set the user id of the program or application to match that of the owner of the file.

u can use
Quote:
man setuid
to check wat is its syntax.

OR

u can set the permission recursively of your folder as such
Quote:
chmod -R 764 myfolder
I m setting the following permissions
user: all permissions
group:read-write permissions(somegroup)
others:read

if the application's gid is set to group "somegroup".then it can write & modify files in "myfoder" & all subfolders.
u can set the group id with setgid function. this is more easier to do than setuid.
or u can set the group for the application like this

Quote:
chgrp -f somegroup application
hope this helped
 
Old 02-08-2006, 04:10 AM   #4
suruchiparimu
LQ Newbie
 
Registered: Feb 2006
Posts: 8

Original Poster
Rep: Reputation: 0
will this work if i access the application from a browser. wouldn't the user then become 'nobody' as is the case generally?
 
Old 02-08-2006, 04:15 AM   #5
sohny
Member
 
Registered: Aug 2004
Location: bangalore
Distribution: Redhat,Ubuntu
Posts: 64

Rep: Reputation: 15
may be I m not sure about that but in that case u 'have' to use setuid or setgid function in the application.

that will set the user id & group id to the value u specify,even if the application is running as a nobody
 
Old 02-08-2006, 04:37 AM   #6
suruchiparimu
LQ Newbie
 
Registered: Feb 2006
Posts: 8

Original Poster
Rep: Reputation: 0
i checked... it doesn't allow the application to setuid or chmod unless 'nobody' is made the owner... which of course we can't do... any other way out... ??
 
Old 02-08-2006, 05:03 AM   #7
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
What kind of CMS do you use?
Does it indeed run as the "nobody" user (via the browser)?
What web server are you running? Apache? Tomcat? Combination of both? And under which user are they running/accessing files on your system? Nobody?

Typically, Apache/Tomcat need to be started as root, to allocate port 80 (a privileged port) to listen to HTTP requests. After that, they should switch to a non-privileged user. This can be nobody, but doesn't have to be.
My Tomcat is for instance running under a dedicated user ie user "tomcat" or something like that.
This user can then be added to a group, let's say "www_users".
Furthermore, in this group, you can add one or more users that will "manage" the website.

The folders that the CMS must be able to change as well as any other folders that your web server needs to change (ie folders with logfiles), must be given permission 2770. Other folders are given 2750 or even 2700.
(note the "2" in front for setGID - which is a nice way to force the group ownership of newly created files).
All folders must have one of the management users as owner, not the dedicated webserver user (ie the "tomcat" user). This makes sure that, if anyone abused the site to create some bulshit files on the system, you can always delete them via the management user's account.
Any files created by the webserver user (ie the tomcat user) can have standard file ownership. No setUID tricks needed. Just make sure that the files are group writable (umask 007 or something like that).
 
Old 02-08-2006, 11:23 PM   #8
suruchiparimu
LQ Newbie
 
Registered: Feb 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks... i tested that and it does help... but now i have another issue... would this work if i host the Site on a different web server and the CMS on a different one. would one web server user be recognized as an authenticated user of another web server? i suppose not...
plz let me know...
 
Old 02-09-2006, 01:57 AM   #9
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
User authentication is always based on some kind of database that holds the username-password combinations.
Typical examples are:
-/etc/passwd & shadow files
-MySql databases
-your own made database file, together with some PAM authentication rules
-LDAP or NIS for central user management accross multiple systems.

The only thing you need to make sure is that both web servers use the same user authentication database.

But my first question is, why would you need to run 2 webservers?
And the second one: what kinds of authentication methods are already used on the 2 machines?
And finally, what level of security (ie encryption, certification, etc) do you want for your websites?
 
Old 02-09-2006, 02:59 AM   #10
suruchiparimu
LQ Newbie
 
Registered: Feb 2006
Posts: 8

Original Poster
Rep: Reputation: 0
i do not have all the specifications of the web server as they belong to our client...

the web servers need to be seperate 'coz they do not want to host multiple sites on one server in fear of a fault that might stop functioning of all sites. so... the sites would be hosted on different machines...
 
Old 02-09-2006, 03:25 AM   #11
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
Well, then you'll need to choose a system that doesn't provide such a "single point of failure" behaviour, ie that won't bring down your sites if the system breaks. If I were you, I would try to use LDAP or a central MySql database for authentication, but that's just my opinion. There are many possibilities.
It depends also on how your CMS is going to work, what authentication methods it supports, and alike.
But I have read that PAM modules allow for very flexible user authentication methods, in many ways.
I'm however no expert in these matters.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can't execute c++ binaries, "permission denied"... even though permission is 777 SerfurJ Programming 14 02-20-2009 04:50 AM
File write permissions of 777 and 755 wissyweb Linux - Security 2 01-24-2006 08:12 AM
BIND 9 Permission denied when chmod is 777 o_O KasperLotus Linux - Networking 10 09-07-2005 12:20 AM
BIND 9 Permission denied when chmod is 777 o_O KasperLotus Linux - Software 0 08-28-2005 11:42 PM
Permission to write to folder Garoth Linux - Software 1 10-09-2004 11:41 PM


All times are GMT -5. The time now is 05:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration