Hello, I have a perplexing permissions problem that i thought i had, but it's resurfaced. I'm running CentOS 5.3 and it runs an apache web server. The permissions on the web data directory in this case /var/www/secure/data are set to 4775 owner of apache group of webdev. All users that should be allowed to place content are in the webdev group. I was under the impression that any file then placed in that directory would have a owner of apache and a group of webdev permissions of 664. Whenever a locally logged on user adds content permissions are set to 664 but owner and group membership are that of the user who added the files not apache and webdev. The issue is further compounded when a user logs in via ftp and adds files or folders. They are owned by the ftp user and group. Any assistance appreciated. Thanks. Dave.
Dave wrote:
Hello, I have a perplexing permissions problem that i thought i had, but it's resurfaced. I'm running CentOS 5.3 and it runs an apache web server. The permissions on the web data directory in this case /var/www/secure/data are set to 4775 owner of apache group of webdev. All users that should be allowed to place content are in the webdev group. I was under the impression that any file then placed in that directory would have a owner of apache and a group of webdev permissions of 664. Whenever a locally logged on user adds content permissions are set to 664 but owner and group membership are that of the user who added the files not apache and webdev. The issue is further compounded when a user logs in via ftp and adds files or folders. They are owned by the ftp user and group. Any assistance appreciated. Thanks. Dave.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am assuming these users are in the webdev group, but 'webdev' is not their primary group. Can you try using the set-gid bit on the affected directory ( /var/www/secure/data/ ) to force the group ownership of objects created there to have same group ID as the directory, viz:
chgrp webdev /var/www/secure/data/ chmod g+s /var/www/secure/data/
From your text, it appear you have objects getting created with
appropriate group write permissions. -Alan
Hi, Thanks for your reply. The set group id bit solved the issue of the permissions issue, my problem now is that ftp users who upload content are virtual they run under the pure-ftpd user which is ftpuser, with set group id on that user can't write files to the data area. I have added ftpuser to the webdev group. Thanks. Dave.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Alan Sparks Sent: Friday, September 04, 2009 11:14 AM To: CentOS mailing list Subject: Re: [CentOS] perplexing permissions issue
Dave wrote:
Hello, I have a perplexing permissions problem that i thought i had, but it's resurfaced. I'm running CentOS 5.3 and it runs an apache web server. The permissions on the web data directory in this case /var/www/secure/data are set to 4775 owner of apache group of webdev. All users that should be allowed to place content are in the webdev group. I was under the impression that any file then placed in that directory would have a owner of apache and a group of webdev permissions of 664. Whenever a locally logged on user adds content permissions are set to 664 but owner and group membership are that of the user who added the files not apache and webdev. The issue is further compounded when a user logs in via ftp and adds files or folders.
They are owned by the ftp user and group.
Any assistance appreciated. Thanks. Dave.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am assuming these users are in the webdev group, but 'webdev' is not their primary group. Can you try using the set-gid bit on the affected directory ( /var/www/secure/data/ ) to force the group ownership of objects created there to have same group ID as the directory, viz:
chgrp webdev /var/www/secure/data/ chmod g+s /var/www/secure/data/
From your text, it appear you have objects getting created with
appropriate group write permissions. -Alan
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
On Fri, Sep 4, 2009 at 11:03, Davedave.mehler@gmail.com wrote:
I'm running CentOS 5.3 and it runs an apache web server. The permissions on the web data directory in this case /var/www/secure/data are set to 4775 owner of apache group of webdev.
I believe what you want is 2775, the first "2" is the set-gid group, it will make files created in that directory inherit that group.
I was under the impression that any file then placed in that directory would have a owner of apache and a group of webdev
No, that's not how that works... You cannot force the user ownership of a file to change, only the group ownership. The set-uid bit on a directory doesn't do anything (AFAIK), only the set-gid bit has the effect of making files created in that directory inherit that group.
permissions of 664.
That is actually controlled by the "umask", which is set by each user/program. In RHEL/CentOS, if your primary group matches your username, your umask will be set to 002, which is the one that will create files with 664 permissions, which is the one you want.
content permissions are set to 664 but owner and group membership are that of the user who added the files not apache and webdev. The issue is further compounded when a user logs in via ftp and adds files or folders. They are owned by the ftp user and group.
Fix the directory permissions from 4775 to 2775 and the group of files will be set to "webdev" as you want them to.
Make sure the umask will be 002 (you might have to configure that on your FTP server too) and files will be writable by any member of group "webdev", so although the files won't all have the same owner, they will all be writable by any other members of that same group.
HTH, Filipe
Hi, Thanks for your reply. Your suggestion did it, along with changing the umask value for the ftp server, it had to be set to 113:002 rather than 133:002. I hope this finally solves the issue. Thanks everyone for your help. Dave.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Filipe Brandenburger Sent: Friday, September 04, 2009 11:33 AM To: CentOS mailing list Subject: Re: [CentOS] perplexing permissions issue
Hi,
On Fri, Sep 4, 2009 at 11:03, Davedave.mehler@gmail.com wrote:
I'm running CentOS 5.3 and it runs an apache web server. The permissions on the web data directory in this case /var/www/secure/data are set to 4775 owner of apache group of webdev.
I believe what you want is 2775, the first "2" is the set-gid group, it will make files created in that directory inherit that group.
I was under the impression that any file then placed in that directory would have a owner of apache and a group of webdev
No, that's not how that works... You cannot force the user ownership of a file to change, only the group ownership. The set-uid bit on a directory doesn't do anything (AFAIK), only the set-gid bit has the effect of making files created in that directory inherit that group.
permissions of 664.
That is actually controlled by the "umask", which is set by each user/program. In RHEL/CentOS, if your primary group matches your username, your umask will be set to 002, which is the one that will create files with 664 permissions, which is the one you want.
content permissions are set to 664 but owner and group membership are that of the user who added the files not apache and webdev. The issue is further compounded when a user logs in via ftp and adds files or folders. They are owned by the ftp user and group.
Fix the directory permissions from 4775 to 2775 and the group of files will be set to "webdev" as you want them to.
Make sure the umask will be 002 (you might have to configure that on your FTP server too) and files will be writable by any member of group "webdev", so although the files won't all have the same owner, they will all be writable by any other members of that same group.
HTH, Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alan Sparks -
Dave -
Filipe Brandenburger