User permissions for both apache and local user

apache-2.2 permissions file-permissions
5,467

Solution 1

The best way to achieve this is with posix ACLs. Standard unix file permissions dont really cut it. You can do it with some kludging but its not really more than a kludge, basically its not a straight-forward solution.

Using a ACL will resolve this issue succintly. To do this you can use the following commands:

setfacl -R -m www-user:rwx /home/user1/public_html
setfacl -R -d -m www-user:rwx /home/user1/public_html
setfacl -R -m user1:rwx /home/user1/public_html
setfacl -R -d -m user1:rwx /home/user1/public_html

The -d flag causes new files to inherit the ACLs you set in the directory.

There are some caveats to bear in mind.

  1. Your filesystem must support it (most do these days, they can be enabled by remounting the filesystem with ACL support on most filesystems). Stuff like NFS wont work.
  2. The standard Unix group ACL becomes a mask. I.E if a file says g+x the file is executable with the command above. if its g-x the file is not executable, regardless of whether or not permissions set are rwx in the ACL. This ensures you avoid a situation where you would have to mark all directories rwx in the acl and all files rw-.

This fixes a problem sensibly and permits various combinations of scenarios:

  • It enforces least privilege as you are not required to start modifying group memberships of users.
  • user1 can create a file which can be modified later by www1-user (so user1 can SFTP upload content which could be deleted and/or modified by a CMS in apache later) and visa versa.
  • Apache remains in a system account which avoids having to use SetUID workarounds to change the apache subject (user).
  • The modification applies within a specific directory structure only and wont inadvertently permit www-user or user1 access to other portions of the file system tree you would not wish them to access.
  • Altering or revoking permissions is a trivial change.

This is my preferred way to resolve these kind of issues. It is a simple, non-disruptive and trivial change.

Solution 2

Apache doesn't need to write everywhere, for this you can specify tmp,upload,etc. folders. So you can set permissions for public_dir to be readable and executable by apache user:

sudo chown user1:www-data /home/user1/public_html
sudo chmod 0750 /home/user1/public_html

All other files under public_html dir can be under user1 permissions and only readable by "others" (apache here). This is also better from security view. As I wrote, only necessary files/folder should be writable by apache user.

Share:
5,467

Related videos on Youtube

Or W
Author by

Or W

Updated on September 18, 2022

Comments

  • Or W
    Or W over 1 year

    I'm trying to allow permissions to files on the /home/user1/public_html/ folder for both user1 and for www-data (apache).

    I've been instructed to run these commands:

    sudo chown -R www-data:user1 /home/user1/public_html/
sudo chmod g+s /home/user1/public_html/

    Now, www-data does have access to edit/remove/add files to /home/user1/public_html/ but user1 cannot edit anything.

    How can I solve this?

    Thanks,

    • Admin
      Admin over 12 years
      What are the permissions currently?
    • Admin
      Admin over 12 years
      @Shane Madden - drwxr-sr-x 2 www-data user1 4096 2011-12-11 09:15 public_html
    • Admin
      Admin over 12 years
      You have to be more specific. So you want user1 to be able to read & write folders and files under /home/user1/public_html/ - what permissions do you want Apache to have? read & write as well? (That's a bit of a security hole; better to make only the files/folders apache-writable that need to be, no more.)
  • Or W
    Or W over 12 years
    that allows user1 to write to that folder, but www-data cannot write to the folder anymore now.
  • stderr
    stderr over 12 years
    Yes, apache can't write to directory now but, as I wrote, it's better from security view. You can specify special directory where apache must write and it will be just apache dir (eg. uploads, images, tmp, i-dont-know. chown :www-data <some-dir>, chmod g+w <some-dir>).
  • Michael Kropat
    Michael Kropat over 12 years
    When setting the regular ACL, I prefer to use “rwX” over “rwx.” For example: setfacl -R -m www-user:rwX /home/user1/public_html. At least on Linux, this avoids marking all the files as executable.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Enable apache to fopen/write in a directory?
Plesk file permissions - Apache/PHP conflicting with user accounts
What Should be the Permissions of Apache SSL Directory, Certificate, and Key?
Python Permission Error when reading
How do you take file ownership with PowerShell?
Git remote: error- 'remote:error: unable to unlink old 'filename_here' (permission denied)' after git push
Files don't inherit parent folder's permission after saving
Not able to delete file without permission from Nonexistant user/directory
How to change permissions on a folder when the owner doesn't have read access and no one else has change permissions enabled?
Give a group write permission to a folder