Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
Is there a way to resolve this? When I FTP to a friend's rent-a-server, I can read/write/delete all of the files I have placed there *and* the same for files touched by PHP (Apache).
My Linux Admin books as well as my Linux books do not appear to cover this and/or my experience is lacking.
Todd
On Tue, 21 Jun 2011, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
Is there a way to resolve this? When I FTP to a friend's rent-a-server, I can read/write/delete all of the files I have placed there *and* the same for files touched by PHP (Apache).
My Linux Admin books as well as my Linux books do not appear to cover this and/or my experience is lacking.
Either have a group that you're both a member of and have a SGID bit set on the relevent directories using that gruop, or look at ACLs.
jh
John Hodrien wrote:
On Tue, 21 Jun 2011, Todd Cary wrote:
<snip>
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
<snip>
Either have a group that you're both a member of and have a SGID bit set on the relevent directories using that gruop, or look at ACLs.
To expand on John's cmts. I'd make you a member of the apache group - that's usermod -G apache todd, making it a secondary group, *not* your personal primary group.
mark
On Jun 21, 2011, at 8:30 AM, m.roth@5-cent.us wrote:
John Hodrien wrote:
On Tue, 21 Jun 2011, Todd Cary wrote:
<snip> >> My /var/www/html files have been manually set by me to >> apache/apache 774. This allows my PHP applications to access the >> files, and I assume this is a "good" setting. >> >> Now, my server is connected via Samba to my desktop. If I create >> a file, it is todd/todd 744, so Apache cannot access them. >> >> If PHP (Apache) creates or modifies a file, it is apache/apache >> 755, so I cannot access them (Write/Delete). <snip> > Either have a group that you're both a member of and have a SGID bit set > on the relevent directories using that gruop, or look at ACLs.
To expand on John's cmts. I'd make you a member of the apache group - that's usermod -G apache todd, making it a secondary group, *not* your personal primary group.
---- this is what I would do but the apache group would necessarily have write permissions to the directory & files you want to edit.
I would however recommend that all other directories NOT have group write permissions or better yet, be owned by someone else (possibly root:root) as a means of security.
Craig
On 6/21/2011 8:30 AM, m.roth@5-cent.us wrote:
John Hodrien wrote:
On Tue, 21 Jun 2011, Todd Cary wrote:
<snip> >> My /var/www/html files have been manually set by me to >> apache/apache 774. This allows my PHP applications to access the >> files, and I assume this is a "good" setting. >> >> Now, my server is connected via Samba to my desktop. If I create >> a file, it is todd/todd 744, so Apache cannot access them. >> >> If PHP (Apache) creates or modifies a file, it is apache/apache >> 755, so I cannot access them (Write/Delete). <snip> > Either have a group that you're both a member of and have a SGID bit set > on the relevent directories using that gruop, or look at ACLs. To expand on John's cmts. I'd make you a member of the apache group - that's usermod -G apache todd, making it a secondary group, *not* your personal primary group.
mark
At this time, todd is a member of the apache group, however apache is setting permissions to 755, so todd cannot write to the files once apache has modified them or created them...or am I missing some salient point?
Todd
On Jun 21, 2011, at 8:51 AM, Todd Cary wrote:
On 6/21/2011 8:30 AM, m.roth@5-cent.us wrote:
John Hodrien wrote:
On Tue, 21 Jun 2011, Todd Cary wrote:
<snip> >> My /var/www/html files have been manually set by me to >> apache/apache 774. This allows my PHP applications to access the >> files, and I assume this is a "good" setting. >> >> Now, my server is connected via Samba to my desktop. If I create >> a file, it is todd/todd 744, so Apache cannot access them. >> >> If PHP (Apache) creates or modifies a file, it is apache/apache >> 755, so I cannot access them (Write/Delete). <snip> > Either have a group that you're both a member of and have a SGID bit set > on the relevent directories using that gruop, or look at ACLs. To expand on John's cmts. I'd make you a member of the apache group - that's usermod -G apache todd, making it a secondary group, *not* your personal primary group.
markAt this time, todd is a member of the apache group, however apache is setting permissions to 755, so todd cannot write to the files once apache has modified them or created them...or am I missing some salient point?
---- yes - make them group writable...
chmod g+w some_file chmod g+w some_subdirectory chmod g+w some_directory -R # subdirectory and all files below
Craig
On Tuesday 21 June 2011 18:27:11 John Hodrien wrote:
On Tue, 21 Jun 2011, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
Is there a way to resolve this? When I FTP to a friend's rent-a-server, I can read/write/delete all of the files I have placed there *and* the same for files touched by PHP (Apache).
My Linux Admin books as well as my Linux books do not appear to cover this and/or my experience is lacking.
Either have a group that you're both a member of and have a SGID bit set on the relevent directories using that gruop, or look at ACLs.
jh
Or you can simply start using mod_suphp or suexec for running your php application.
This may not be the best from a security perspective but as you use samba, why not just set it to force the correct user, group and mask setting for that share?
My server at home is setup that way and it works just fine.
-Drew
On 06/21/2011, Todd Cary todd@aristesoftware.com wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
Is there a way to resolve this? When I FTP to a friend's rent-a-server, I can read/write/delete all of the files I have placed there *and* the same for files touched by PHP (Apache).
My Linux Admin books as well as my Linux books do not appear to cover this and/or my experience is lacking.
Todd
-- Ariste Software Petaluma, CA 94952
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 06/22/2011 01:22 AM, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
In your smb.conf file, add the following to the [sharename] section:
force user = apache force create mode = 0774
This should ensure that all files you dump in via samba are always owned by apache with the proper permissions. I do this on servers that never see the internet. If this is insecure, please enlighten me as said servers may one day be made visible to the outside world...
Ak.
Many thanks to you and Drew....I am the only user...
Todd
On 6/21/2011 11:05 PM, Anthony wrote:
On 06/22/2011 01:22 AM, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
In your smb.conf file, add the following to the [sharename] section:
force user = apache force create mode = 0774
This should ensure that all files you dump in via samba are always owned by apache with the proper permissions. I do this on servers that never see the internet. If this is insecure, please enlighten me as said servers may one day be made visible to the outside world...
Ak. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 2011-06-21 17:22, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
I use a combination of settings in Unix and Samba.
Add yourself to the apache group.
Set the toplevel folder with the SGID bit: chgrp apache /the/toplevel chmod g+swx /the/toplevel This makes sure that each file/folder created in that folder will inherit the group writeable bit. When you have already subfolders there, you need to change each subfolder as well, once, to get the permissions of the whole tree correct.
In samba, set up the share with: force create mode = 775 force directory mode = 2775 this makes sure that samba does not remove that group-writable bit again, that was added by the kernel obeying the SGID bit of the parent folder.
And then I only have to struggle with some programs, that think they are smarter, and explicitly remove the group writeable settings.
On 6/24/2011 6:51 AM, Paul Bijnens wrote:
On 2011-06-21 17:22, Todd Cary wrote:
Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain.
I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation:
My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting.
Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them.
If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete).
I use a combination of settings in Unix and Samba.
Add yourself to the apache group.
Set the toplevel folder with the SGID bit: chgrp apache /the/toplevel chmod g+swx /the/toplevel This makes sure that each file/folder created in that folder will inherit the group writeable bit. When you have already subfolders there, you need to change each subfolder as well, once, to get the permissions of the whole tree correct.
In samba, set up the share with: force create mode = 775 force directory mode = 2775 this makes sure that samba does not remove that group-writable bit again, that was added by the kernel obeying the SGID bit of the parent folder.
And then I only have to struggle with some programs, that think they are smarter, and explicitly remove the group writeable settings.
Thank you Paul...
Todd
-
Anthony -
Craig White -
Drew -
John Hodrien -
m.roth@5-cent.us -
Marian Marinov -
Paul Bijnens -
Todd Cary