How do you give execute permissions to Apache2 user and NOT to everyone else?
Solution 1
chown
the files to whatever your Apache group is called (Usually www-data) and set permissions to only give user/group permissions:
chown -R www-data:www-data /path/to/cgi-bin
chmod -R 764 /path/to/cgi-bin
That sets it so only the www-data user and group can write the file, and only the www-data user can execute the file, everyone can read.
Solution 2
Two ways jump to mind. First, you could create a group with you, root and apache in it and change the group ownership of cgi-bin to that:
groupadd web
usermod -a -G web $USER
chgrp web /path/to/cgi-bin && chmod -R 774 /path/to/cgi-bin
Alternatively, you could use ACLs to just add execute permissions for apache:
setfacl -m d:u:apache:rwx /path/to/cgi-bin
This will allow apache to execute any file under cgi-bin, but you'll need to have ACLs enabled on the filesystem and they're sometimes easy to miss when looking at files and directories.
You can enable ACLs by modifying your filesystem defaults and remounting the filesystem:
tune2fs -o acl /dev/root/device
mount -o remount,acl /
A file or directory with an ACL attached will have a + at the end of the ownership mode in the output of ls -l
:
drwxr-xr-x+ 2 username group 4096 May 21 21:58 tmp
Related videos on Youtube
Lenny K
Student in New York. I won Apple's WWDC 2012 Student Scholarship, and attended the conference in June 2012.
Updated on September 18, 2022Comments
-
Lenny K over 1 year
I have Ubuntu Server running and I am setting up a separate directory as a cgi-bin. I have the directory ready and I changed the file for the site. However, to get it to work, I need to change the permissions of the Python script I have in the folder so that Apache can execute it. However, I don't want to give write or execute access to ANYONE other than root, me and Apache. I'm assuming this is possible, but how can it be done?
-
Lenny K almost 13 yearsThanks, I tried it and received no error. How would I go about checking that nobody other than the www-data can access the CGI? Also, is there any way to do this for ALL files in the folder and all files that will later be put into this folder? Like running those commands on the cgi-bin directory?
-
Toby Mao almost 13 yearsEasiest way would be to
su
into another user (Someone other than root) and try running the CGI, if you get an error (Something like 'Permission denied') then everything is OK. -
Toby Mao almost 13 yearsI don't think you can set permissions for files that don't already exist in the directory, but the -R flag means Recursive so it will apply to every file in that directory, but the files have to be already there.
-
Lenny K almost 13 yearsOkay, thanks. One more question - why set the permission to 764? www-data isn't the owner of the file...or is that what the first line of code does? Please explain the first line of code.
-
Toby Mao almost 13 yearsLine one, chown (condensed from 'change owner'), changes the owner of the file to the user www-data and the group www-data. Generic command is something like
chown [flags] user:group /path/to/file
. The second line, chmod, changes the permissions of the file. The files are now owned by www-data user and group so the perm string is 7(User can read, write and execute)6(group can read and write)4(anyone else can read). The -R flag in both commands tells it to be recursive, so you can use a directory instead of a single file. -
Lenny K almost 13 yearsOkay, that makes sense. But doesn't that mean that I am no longer the owner and therefor will not be able to execute the CGI?
-
Toby Mao almost 13 yearsNo, if you're logging in as a different user you won't be able to run the CGI. The easiest way around that is to add yourself to the www-data group and change the permissions to 774 (To allow group execute permissions)
-
Lenny K almost 13 yearsOkay, and how would I go about adding myself to the www-data group? Sorry, I'm new to this :)
-
Toby Mao almost 13 yearson the command line,
usermod -G www-data yourusernamehere
(Replace yourusernamehere with your username, if you don't know this runwhoami
to find out). Then run the chmod command again but replace 764 with 774 -
Toby Mao almost 13 yearsYou can use the -a flag to add a user to a group without overwriting the other groups, E.G.
usermod -G admin yourusernamehere
thenusermod -a -G www-data yourusernamehere
thenusermod -a -G anothergroup yourusernamehere
or you can use a comma separated list E.G.usermod -G admin,www-data,anothergroup yourusernamehere
-
Lenny K almost 13 yearsI ran the command and I get this error:
usermod: cannot lock /etc/passwd; try again later.
-
Toby Mao almost 13 yearsCheck out this q answers.launchpad.net/ubuntu/+source/sudo/+question/145749
-
Lenny K almost 13 yearsI tried that, but I can't get it to work. I think this is what happened. Since I have now changed my user's group to www-data, I can't use sudo because only people in the admin group are allowed to. Whenever I run sudo, I get this error:
user is not in the sudoers file. This incident will be reported.
. The root user is disabled, so I can't add myself into the admin group. I think I "locked myself out" of Ubuntu. Do you (or anyone else) think there is a solution other than reinstalling the system?