[SOLVED] Need help with permissions for a LAMP server
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to write my own mini-code editor using codeMirror.
I use PHP scripts called over Ajax to perform PHP functions such as rename(). This comes back with a permission error.
How can/should I setup the permissions to be able to do this? I don't really like the idea of setting everything in /var/www/html to 777 and I'm assuming there is another way? Something tells me it has to do with group wheel?
Look in the http server's log files for the specific errors. They will tell you which directories need permissions changed. The default user for the web server in Xubuntu, if that's what you are using, is www-data, so you can set the user or group for the one or two directories you need.
Look in the http server's log files for the specific errors. They will tell you which directories need permissions changed. The default user for the web server in Xubuntu, if that's what you are using, is www-data, so you can set the user or group for the one or two directories you need.
I want the entire web directory to be read/writable by PHP over the web. It's a code editor designed to be able to build webpages from the browser itself.
So would I try to add www-data to /var/www/html? Is that what PHP uses?
Taken as a whole, that link gives very bad advice. The whole DocumentRoot hierarchy should not ever be writable by the web server, but in particular no users should ever be in the web server's group either. In your case, the web server run as the user www-data by default. The purpose of the user www-data is to provide an unprivileged user for the web server. That would be so that the web server can read what it needs to but not be able to do anything else. The ideas behind that are those of privilege separation and least privilege. What the superuser.com post really meant to do was something like sharing write access for multiple users to a single directory. As seen in the blog post, that can be done without giving write access to the web server.
But what you are trying to do is different. The task you've described is that of needing write access for a single, specific user to various directories. Or it may be enough to just give write access to some specific files, depending on your situation. So if the directory is /var/www/html/target/ then you could "chgrp" that directory to www-data and the "chmod" to g+w to give the web server and, thus, PHP write access. If you can please avoid giving write access for the web server to any directories capable of running PHP scripts. The idea there is Write XOR eXecute, where a region should not be able to both write and execute. That prevents the situation where if someone gets in via your PHP scripts they won't be able to write their own scripts on your server.
Yes, it may seem close but the difference will save you a lot of trouble.
Taken as a whole, that link gives very bad advice. The whole DocumentRoot hierarchy should not ever be writable by the web server, but in particular no users should ever be in the web server's group either. In your case, the web server run as the user www-data by default. The purpose of the user www-data is to provide an unprivileged user for the web server. That would be so that the web server can read what it needs to but not be able to do anything else. The ideas behind that are those of privilege separation and least privilege. What the superuser.com post really meant to do was something like sharing write access for multiple users to a single directory. As seen in the blog post, that can be done without giving write access to the web server.
But what you are trying to do is different. The task you've described is that of needing write access for a single, specific user to various directories. Or it may be enough to just give write access to some specific files, depending on your situation. So if the directory is /var/www/html/target/ then you could "chgrp" that directory to www-data and the "chmod" to g+w to give the web server and, thus, PHP write access. If you can please avoid giving write access for the web server to any directories capable of running PHP scripts. The idea there is Write XOR eXecute, where a region should not be able to both write and execute. That prevents the situation where if someone gets in via your PHP scripts they won't be able to write their own scripts on your server.
Yes, it may seem close but the difference will save you a lot of trouble.
I can't quite make sense of what you are saying. I need to be able to read and write the entire web root (I'll be using HTTPS if that helps at all). Is there a way I can achieve that safely? If there isn't, perhaps I could make the scripts that run the code editor only work if the connection is coming from a specific IP address? I could ssh in and adjust a config file when my personal IP address changes...? I suck at security.
I can't quite make sense of what you are saying. I need to be able to read and write the entire web root (I'll be using HTTPS if that helps at all). Is there a way I can achieve that safely? If there isn't, perhaps I could make the scripts that run the code editor only work if the connection is coming from a specific IP address? I could ssh in and adjust a config file when my personal IP address changes...? I suck at security.
There are two issues. One is the superuser.com sites inadvisable recommendation to add users to the group www-data. The other is allowing either the group or user www-data to write the document root. Both should be avoided, but since your current arrangement needs at least some write access the question becomes what is the minimum write access that will still get the job done. (Or, ideally, finding a different way.)
Can you put your AJAX scripts into directories that www-data does not have write access to, but still allow them to write to the other directories?
Or can you put your AJAX scripts into directories which are limited to access from your ip number? Which web server are you using, Apache2 or nginx?
What is important to avoid is an arrangement where, if someone gains illicit access to your script, where they could write their own PHP scripts and run them on your server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.