want to avoid 777 permission, but want to write on folder
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
want to avoid 777 permission, but want to write on folder
We have a CMS application that adds files into folders. we would require write rights on that folder for the purpose, but, want to avoid giving 777 rights as the site that the application is content managing is a public site.
ok got ur mail. I will post here as info for others too.
u want the application to be able to write? U can use the setuid fuction to set the user id of the program or application to match that of the owner of the file.
u can use
Quote:
man setuid
to check wat is its syntax.
OR
u can set the permission recursively of your folder as such
Quote:
chmod -R 764 myfolder
I m setting the following permissions
user: all permissions
group:read-write permissions(somegroup)
others:read
if the application's gid is set to group "somegroup".then it can write & modify files in "myfoder" & all subfolders.
u can set the group id with setgid function. this is more easier to do than setuid.
or u can set the group for the application like this
i checked... it doesn't allow the application to setuid or chmod unless 'nobody' is made the owner... which of course we can't do... any other way out... ??
What kind of CMS do you use?
Does it indeed run as the "nobody" user (via the browser)?
What web server are you running? Apache? Tomcat? Combination of both? And under which user are they running/accessing files on your system? Nobody?
Typically, Apache/Tomcat need to be started as root, to allocate port 80 (a privileged port) to listen to HTTP requests. After that, they should switch to a non-privileged user. This can be nobody, but doesn't have to be.
My Tomcat is for instance running under a dedicated user ie user "tomcat" or something like that.
This user can then be added to a group, let's say "www_users".
Furthermore, in this group, you can add one or more users that will "manage" the website.
The folders that the CMS must be able to change as well as any other folders that your web server needs to change (ie folders with logfiles), must be given permission 2770. Other folders are given 2750 or even 2700.
(note the "2" in front for setGID - which is a nice way to force the group ownership of newly created files).
All folders must have one of the management users as owner, not the dedicated webserver user (ie the "tomcat" user). This makes sure that, if anyone abused the site to create some bulshit files on the system, you can always delete them via the management user's account.
Any files created by the webserver user (ie the tomcat user) can have standard file ownership. No setUID tricks needed. Just make sure that the files are group writable (umask 007 or something like that).
Thanks... i tested that and it does help... but now i have another issue... would this work if i host the Site on a different web server and the CMS on a different one. would one web server user be recognized as an authenticated user of another web server? i suppose not...
plz let me know...
User authentication is always based on some kind of database that holds the username-password combinations.
Typical examples are:
-/etc/passwd & shadow files
-MySql databases
-your own made database file, together with some PAM authentication rules
-LDAP or NIS for central user management accross multiple systems.
The only thing you need to make sure is that both web servers use the same user authentication database.
But my first question is, why would you need to run 2 webservers?
And the second one: what kinds of authentication methods are already used on the 2 machines?
And finally, what level of security (ie encryption, certification, etc) do you want for your websites?
i do not have all the specifications of the web server as they belong to our client...
the web servers need to be seperate 'coz they do not want to host multiple sites on one server in fear of a fault that might stop functioning of all sites. so... the sites would be hosted on different machines...
Well, then you'll need to choose a system that doesn't provide such a "single point of failure" behaviour, ie that won't bring down your sites if the system breaks. If I were you, I would try to use LDAP or a central MySql database for authentication, but that's just my opinion. There are many possibilities.
It depends also on how your CMS is going to work, what authentication methods it supports, and alike.
But I have read that PAM modules allow for very flexible user authentication methods, in many ways.
I'm however no expert in these matters.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.