ssh + apache permissions
Hi, I read about permissions and everytime à try to implement... it's not working!
we have dev web server on apache. (centos 5.7 32 bits) we use 2 cms in particular that writes files in some folders, websitebaker and opencart. they both work on our server, but we need to make folder chmod 0777 to work, and even then, we got some "session permisions failed" sometimes. I wanted to : create a ssh user with granted permission in our /var/www/* folder and apache should have thoses permissions too. but when i go with the ssh user i've made, it changes ownership and apache can't touch the files, or we can't modify the files because they are owned by apache. maybe i'm wrong, but how can i have a ssh user that got the sames permission as apache on the same folder to be able to give this as sftp to my coworkers ? - i do not want FTP - i do not want chmod 0777 since this server is open to the world. - i want a simple webdev user that connect throught ssh (sftp) |
This a Debian-based example and you'll have to adjust your apache user name accordingly:
Create a group, let's call it 'web' in this example: Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
chmod -R o-rwx . You are done. |
thanks a lot, some little change in the code for centos,
sudo is not nessessary in root, and it's groupadd and useradd instead of addgroup and adduser |
I talk too fast....
when 1 logged with my user webadmin (group web), i installed the cms, the cms runs perfectly than create a file, i was logged as webadmin, check the file, was owned by apache:web so, same group as me, tried to update it... permissions fails |
How was that file created?
|
we use WebsiteBaker cms, to install a module or template we give him a .zip, he unzip it to the specified directory, then he can use it, but webadmin can't
but if webadmin do a folder, apache can use it. |
Quote:
When you upload anything through web interface any files written to the filesystem are written by a web server hence these files belong to 'apache'. If you followed instructions above any such files will also belong to a group 'web' because we have set a 'sticky' bit on all directories, forcing all newly created files to inherit the group ownership from the parent directory. Therefore such files/directories will belong to apache:web. Because the dafault UMASK is 0022, files will have 644 permissions, meaning that users in group 'web' will be able to read them (4) but not write to them. The same thing happens to files created directly by user 'webadmin', only now files/directories belong to webadmin:web. So for these files Apache (as a member of 'web') will be able to read them but won't be able to, say, create new files in those directories because of your UMASK. I hope the above make sense. So if you want, as the 'webadmin' user, to be able to write to files created by Apache you need the following: (a) directories where Apache creates these files must belong to group 'web' and must have 'sticky' bit set (we did this above), (b) both 'webadmin' and 'apache' must be members of group 'web' (we did this too), (c) files that get created must be created writable by the group (6). To accomplish (c) we must change UMASK with which Apache creates files and directories from 0022 to 0002 (or 0007 as I would do since I don't have any need to give any permissions to 'others'). To change Apache's UMASK on CentOS: Code:
echo "umask 002" >> /etc/sysconfig/httpd Code:
service httpd restart Hope this helps. |
I understan the umask, but souldn't i umasked the folder i want instead of httpd? and i have to make this AS webadmin or root ?
|
Quote:
To change Apache's UMASK you need to be root. I think it would help you a great deal to read up on Linux file permissions, users and groups - there are plenty of general articles on the subject on the Net that can give you a good overview. |
All times are GMT -5. The time now is 02:50 AM. |