ssh + apache permissions
 

Hi, I read about permissions and everytime à try to implement... it's not working!

we have dev web server on apache. (centos 5.7 32 bits)
we use 2 cms in particular that writes files in some folders, websitebaker and opencart.

they both work on our server, but we need to make folder chmod 0777 to work, and even then, we got some "session permisions failed" sometimes.

I wanted to :
create a ssh user with granted permission in our /var/www/* folder
and apache should have thoses permissions too.

but when i go with the ssh user i've made, it changes ownership and apache can't touch the files, or we can't modify the files because they are owned by apache.

maybe i'm wrong, but how can i have a ssh user that got the sames permission as apache on the same folder to be able to give this as sftp to my coworkers ?

- i do not want FTP
- i do not want chmod 0777 since this server is open to the world.
- i want a simple webdev user that connect throught ssh (sftp)

This a Debian-based example and you'll have to adjust your apache user name accordingly:

Create a group, let's call it 'web' in this example:

Add Apache to that group (on Debian Apache runs under www-data user, change for whatever it is on CentOS):

Add your ssh user to that group too:

Go to your web directory, wherever it is:

Change ownership of everything to user your_ssh_user_name and group web:

Add write permissions to those directories/files that Apache needs to write to:

Add 'sticky' bit to directories for the group so all the files created by ssh user or Apache belong to the group:

Optionally remove all permissions for 'others':

chmod -R o-rwx .

You are done.

thanks a lot, some little change in the code for centos,
sudo is not nessessary in root, and it's groupadd and useradd instead of addgroup and adduser

I talk too fast....

when 1 logged with my user webadmin (group web), i installed the cms, the cms runs perfectly than create a file, i was logged as webadmin, check the file, was owned by apache:web so, same group as me, tried to update it... permissions fails

How was that file created?

we use WebsiteBaker cms, to install a module or template we give him a .zip, he unzip it to the specified directory, then he can use it, but webadmin can't

but if webadmin do a folder, apache can use it.

I've no idea who 'he' is so I'm going to assume that the following happens - you upload a .zip file through a web interface of your CMS which then gets installed by the CMS as a module. If my assumption is correct then here is what's happening:

When you upload anything through web interface any files written to the filesystem are written by a web server hence these files belong to 'apache'.

If you followed instructions above any such files will also belong to a group 'web' because we have set a 'sticky' bit on all directories, forcing all newly created files to inherit the group ownership from the parent directory.

Therefore such files/directories will belong to apache:web. Because the dafault UMASK is 0022, files will have 644 permissions, meaning that users in group 'web' will be able to read them (4) but not write to them.

The same thing happens to files created directly by user 'webadmin', only now files/directories belong to webadmin:web. So for these files Apache (as a member of 'web') will be able to read them but won't be able to, say, create new files in those directories because of your UMASK.

I hope the above make sense.

So if you want, as the 'webadmin' user, to be able to write to files created by Apache you need the following: (a) directories where Apache creates these files must belong to group 'web' and must have 'sticky' bit set (we did this above), (b) both 'webadmin' and 'apache' must be members of group 'web' (we did this too), (c) files that get created must be created writable by the group (6).

To accomplish (c) we must change UMASK with which Apache creates files and directories from 0022 to 0002 (or 0007 as I would do since I don't have any need to give any permissions to 'others').

To change Apache's UMASK on CentOS:

(or "umask 007")

Don't forget that all those files that have already been created won't be changed so you'll need to change group write permissions for them yourself with 'chmod g+w'

Hope this helps.

I understan the umask, but souldn't i umasked the folder i want instead of httpd? and i have to make this AS webadmin or root ?

You can't set umask per folder, it doesn't work that way. UMASK can only be set for users.

To change Apache's UMASK you need to be root.

I think it would help you a great deal to read up on Linux file permissions, users and groups - there are plenty of general articles on the subject on the Net that can give you a good overview.