I currently setup a single user on my virtual host like this:
sudo useradd -d /website/ -m user -s /usr/bin/rssh
sudo chown root:root /website/ -R #Don't get why I need this part but doesn't work without!
sudo chmod 755 /website/
sudo chown -R user:www-data /website/public_html
sudo chmod 755 /website/public_html
This works for user to add and edit folders and files within /website/public_html.
I now want to be able to add other users with the ability to add and edit folders and files within /website/public_html. The issue with this, is that if I get into using groups and add users to the group www-data and change the chmod to 775 the users will then be able to edit other virtual hosts websites for example /website2/public_html.
All users (as you can see above) can only access the server through sftp (-s /usr/bin/rssh). Users are also locked to their home directories with the help of settings from sshd_config†. As of that I suppose I could add all the users to the same group (www-data) and chmod 775 the directory or is that not safe ?
For example here someone mentions that giving the virtual hosts 775 permissions may allow for users to insert php scripts that could delete everything. But without it being 775 this also does not allow for php to create files.
†:
Match user user
ChrootDirectory /website/
ForceCommand internal-sftp
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
You can create a new group for each virtual host and add www-data and other granted users to this. Then set that group as the owner of your files (chown). With specifying an appropriate permission (like 775) you will be there.
Related
I need to give write permission to apache on all my files, I checked apache user in config file and with exec("whoami"), it's www-data, but if I had www-data to root group apache isn't able to write a file. I tried to set run-group as root and restart apache, but nothing change. How can I do to give this permission to apache ?
First of all your should check what kind of permission level you want.
A good way to go is to give write permissions only for folders where you need it.
check that your www-data user is at least in the group of the access group or change the it:
chgrp -R www-data folder/
then set the write permissions with
chmod -R g+w folder
should be enough
I have a PHP script application installed on a cloud server.
One of the function is the "PDF Preview", which is currently not working properly.
I contacted the PHP script owner, and he asked me to make sure:
1. dompdf/lib/font/ folder has write permissions (777)
2. the owner of the folder is the Apache user (mostly it is www-data)
For the 1st one, I tried to change the directory permission directly in the FileZilla interface. But it always changes back to 775 after I refresh...
For the 2nd one, I have no idea what it means... I contacted the technical support of my cloud server service. He said it's an App related issue, not server.
Can anyway give me some direction please? Should I use SSH? or anything else?
Really appreciated your help...
Erin
If you have SSH access, it is easier.
1) SSH in and CD into your web directory (likely public_html)
2) run the command chmod -R 777 dompdf/lib/font/
However permission 755 is likely fine...
3) Run ls -l. It will likely look like this:
-rw-r--r-- 1 erin erin 395 Aug 21 2013 index.php
The first 'erin' is the user and the second 'erin' is the group.
There may be other files that have the correct group (such as www or apache). Try and match other files in the public_html directory:
To change the owner: chown apache dompdf/lib/font/
To change the group: chgrp apache dompdf/lib/font/
If you're on shared hosting you might not have access to do this. I'm guessing it's more likely a path or configuration issue than a permissions issue, but give this a shot.
As far as I know you cannot change the owner of a file/directory via FTP. You can via SSH.
The command to change file permissions:
chmod 777 filename.php
To change a directory's permissions:
chmod -R 777 dirname/
To change the owner of a file:
chown www-data filename.php
To change the owner of a directory:
chown -R www-data dirname/
To change the group of a file:
chgrp www-data filename.php
To change the group of a directory:
chgrp -R www-data dirname/
Make sure you are in the file's directory when changing file permissions and ownership with the above commands. Otherwise you'll have to update the path.
If you are updating directories, be sure to be above the directory you wish to update.
Hope this helps.
P. S. To view the current permissions / owner / group of a file or directory, use the ls -la command.
Do not use the database user as the UNIX user. Use www-data.
sudo chown -R www-data:www-data /var/www
There is a difference between the database user and the Apache user. The Apache User is the only one who can actually read the files. The database user is only meant for giving/taking database read/write permissions.
In addition, keep the default permissions from the webapp install. Do not change those, except for the owning user/group. If you are instructed by the webapp, change permissions.
If you are more concerned about security, you could instead run the following commands:
sudo chown -R $USER:www-data /var/www
sudo chmod -R 640 /var/www
This makes the actual files owned by your user, so that only you (and root) can modify them. The reason www-data is referenced is so that Apache can still READ the files, but not actually write to them.
The 640 allows you (the file owner) to read and write, while allowing the www-data group to read files. It also blocks anyone else from possibly reading the file contents.
(The above is only one possible (untested) method. More good ways are available here.)
My PHP runs "exec" under the user "www-data"
my git repository is owned by "admin"
so it cannot access.
If I change ownership to "www-data" it passes the access problem but I can't create SSH keys because www-data is not a "real" user. I don't even know what that is. where is the home folder for such user?
also, when i change the ownership to "www-data" I cannot use git as admin on that machine anymore. gives me error: cannot open .git/FETCH_HEAD: Permission denied
Where is the home fold for user www-data ?
how can I get it to be able to use git with SSH keys set up?
Transferring ownership to www-data is the right decision. I mean www-data is indeed the owner and since it needs full read/write permissions to that folder anyway - do it!.
The following information is at least true for Debian based systems
www-data is a real user. Also it has a home dir. You can find it using:
cat /etc/passwd | awk -F: '/www-data/{print $6}'
On Debian/Ubuntu it is /var/www for example.
To make the github access possible you can create keys for www-data and place them in /var/www/.ssh. !!!Make sure that this folder is not accessible from web!!!. Then create a machine-user on github add use the public key for www-data.
Creating the keys:
sudo -u www-data ssh-keygen -t rsa
Once you are finished, create a new user on github, name it your-app-machine-user (or whatever), copy /var/www/.ssh/id_rsa.puband add it to that github account.
Read access for www-data should work now.
Try: chown -R www-data:www-data .git/
I just moved magento from local to server and Im getting the following error, I was just wondering if someone could help me solve this,
UID of script "/home/.../public_html/index.php" is smaller than min_uid
what I did was to make a database dump and transfer it to server,
create a backup of the all the magento files and transfer and expand to server,
change the core_config table in the database.
Thanks in advance.
That looks like an suPHP issue to me.
Change the user and group of your script to the user running your webserver process. So if you're running an Apache with user www-data for example, change to:
chown www-data:www-data /home/.../public_html/index.php
Or change all your files at once by:
chown -R www-data:www-data /home/.../public_html/
If you're still running into this issue after changing user and group, then your suPHP is probably working with the default min_uid = 100, but the UID of www-data is below this 100.
To fix this you can change the min_uid in suPHP's config to match the UID of www-data:
vi /etc/suphp/suphp.conf
min_uid = <UID of www-data>
If your script is owned by root, you should change the ownership back to yourself:
chown -R user /home/user/public_html
This will change the owner of all of the files contained in /home/user/public_html and all subdirectories to user.
I had same problem, and fixed it with logged in Ftp and uploaded files with cpanel account of this site. Not root or admin account. You must create or edit your files with this account.
What I did to fix this problem:
chown -R user:user /home/dibs/public_html
and made the php files to chmod 700
as far as i am getting just disable the suPHP mode in apache2,
by typing this command on terminal :
sudo a2dismod suphp
if you want to enable it again :
sudo a2enmod suphp
I'm real new to Mac and Apache. I my development machine my website cannot access any files under the web roots /images or /css folders.
The apache log gives the following error:
(13)Permission denied: file permissions deny server access:
The site is hosted up under the 'Sites' folder. I checked in 'Get Info' on this folder and it seems that 'Everyone' has read access. What gives?
Thanks!
The problem is that Apache runs with a user different to the user owner of files, and the Apache's user doesn't have read/write/execute permissions. In my case the user was _www and is member of the _www group.
I solved this issue changing the group of the files to the _www:
Look for the apache's user and group. I used this php script:
<?php
echo exec('whoami') . '<br>';
echo exec('groups') . '<br>';
?>
Login with the user owner of the files.
Add the user owner of files to the _www group.
$ sudo dseditgroup -o edit -a userOwnerOfFiles -t user _www
Change the group of files needed to _www
$ chgrp -R _www path/containing/files
Change file permissions for the group
$ chmod -R g+rwx path/containing/files
This was a tough one for me today. It turned out that I needed to give permissions to the web server to the entire directory tree all the way up to the doc root.
It came up for me today because I'm using a virtual host and storing the files pretty far up a tree in my user directory.
I did not want to recursively change all the thousands of files in my Documents directory so I just chmod ed each folder in the path. In my home directory:
$ chmod 755 Documents
$ chmod 755 Documents/projects
$ chmod 755 Documents/projects/dev
$ chmod 755 Documents/projects/dev/someglamorousclientname/
$ chmod 755 Documents/projects/dev/someglamorousclientname/docroot
Another alternative way of solving this is using extended attributes in MacOSX
chmod +a "_www allow list,read,search,readattr,readsecurity,file_inherit,directory_inherit" /path/to/document_root
I've found 2 things did the trick for me (I was specifically trying to get apache to have access to the Downloads folder):
In System Preferences -> Security & Privacy -> Privacy scroll to Full Disk Access on the left, make sure you unlock at bottom, and then click the + to add an app. Navigate to /usr/sbin and find the executable httpd and add that, making sure it has full disk access enabled. Re-lock the preferences
Right click the particular folder in Finder and choose Get Info, then under Sharing & Permissions, allow access for the "everyone" user (or if you are trying to be more security conscious, perhaps only allow for "_www" user - but I did not test this).
That solved it for me
This method is safe & fast to test, and easy to switch back if it's not working (it won't mess up things even more, which is ofter a problem when fixing these kind of issues:
Locate httpd.conf (you can do it with httpd -V in terminal)
Open this file in Brackets or any text editor
In this file, find:
User _www
Group _www
Change it to
User {your username}
Group staff
Maybe you will have to add something else to your User and Group:
In this httpd.conf file, you can also find a path to your webserver, just search for DocumentRoot. Copy this path, and navigate to it in terminal with cd command, for example: cd /Library/WebServer/Documents
When you are in, do a ls -l. This will give you info about webroot folder ownership. Adjust your User and Group in the httpd.conf regarding this
You can also enter the webroot folder and check the sites ownerships as well with ls -l, and update httpd.conf regarding that.
If this is not working, don't forget to switch back to:
User _www
Group _www