choosing a group for web development work on /htdocs layer

wolfdogg · 2011-05-30 01:29:59

i am trying to workout a good solution for setting groups:users for my local testing development server which is accessed via the LAN.

initially i created a group called 'dev' ,and added myself to that group, then chowned my /path/to/htdocs subfiles to group dev.

my idea was to make the entire /path/to/htdocs and below recursively to the dev group

does anybody have a good way to do this?

i noticed one topic a user makes a group for 'apache' for the app itself, not sure how that panned out.

Last edited by wolfdogg (2011-06-03 21:19:44)

yungtrizzle · 2011-06-06 02:18:55

Your on the right path, now all you have to do is make sure your normal user has write permissions in the group. You didn't need to create a new group though, apache automatically creates a group called nobody (or http not quite sure which it is)

ghen · 2011-06-06 08:51:17

You don't want the webserver (apache) itself to be able to write to those files, do you? Just the developers, which is why you want to put them in a dedicated group, and give write access to that group.

If you are the only developer, you could just make your own user the owner of all files.

"chown -R" is the way to change ownership recursively for a complete directory tree.

wolfdogg · 2011-06-13 23:00:02

no, i dont want apache to write to them, just my IDE apps. i didnt really want to use my username group, thats the way it is now. i was opting for a more "anal" approach where it had its own group, so i could troubleshoot file permissions easier, by looking at them if they have a problem and determining if they were assigned to the appropriate group as an easy way to check the permissions. is that lame to do it that way?

i was also thinking that in the future, if i had a 2nd user added, such as my wife, or if i borked my user up, it MIGHT be easier to repair upon reinstall, etc..

Last edited by wolfdogg (2011-06-13 23:02:00)

dswann · 2011-06-14 12:40:55

yungtrizzle wrote:

Your on the right path, now all you have to do is make sure your normal user has write permissions in the group. You didn't need to create a new group though, apache automatically creates a group called nobody (or http not quite sure which it is)

apache is http, samba uses nobody (guest)

wolfdogg · 2011-06-14 18:14:25

yes, but im not referring to niether apache, or samba. im referring to my personal web application files that are located inside an /htdocs directory only. i want to give only /htdocs and all its child files and sub folders this group.

i edit/write/delete them via the local machine, as well as from other machines via the ftp over the lan. there are times when i get permission errors, for example my app kicks back an error saying it cant write to the php_error_log, or there has been times when i try to upload a file over the lan via ftp but i get kicked back a permission error because the file already exists. i would like to chown -R the entire htdocs directory again to solve it. but in this case, rather than use my uname, i was asking about the feasibility of using a group instead of a uname for the permissions since i do regular backups of this /htdocs directory and i dont want to have to chown this directory in the future over and over should the username change, i would just rather add a new user to the group instead. i chose the name 'dev for the group, however coming from a windows background that sounds great and perfect, but i see that dev in linux terms actually means 'device' so maybe there is a better name for this group.

either way, is this even a wise idea to set the permissions to the /htdocs directory to a new group and add all permissible users to this group? sorry for not being more clear in the first post.

Last edited by wolfdogg (2011-06-14 18:22:28)

wolfdogg · 2011-06-18 22:04:32

ok, heres an example of another problem

ERRNO: 256
TEXT: Smarty error: unable to write to $compile_dir '/srv/http/public_html/demos/ecommerce1/presentation/templates_c'. Be sure $compile_dir is writable by the web server user.

so my app isnt able to write to this directory called templates_c

i had the doc root sub folders and files set to myuser:users recursively, but that doesnt solve all the problems. so i reset all the privileges yet again, i chowned the /srv/http/ contents to what i think is more appropriate [myuser:http] recursively

i looked up and included my user list below. what is the group '33' in the http? what is all the numbers?

heres the list;

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
adm:x:4:root,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,wolfdogg
mem:x:8:
kmem:x:9:
wheel:x:10:root,wolfdogg
ftp:x:11:
mail:x:12:
uucp:x:14:
log:x:19:root
locate:x:21:
rfkill:x:24:
smmsp:x:25:
http:x:33:wolfdogg
games:x:50:wolfdogg
network:x:90:wolfdogg
video:x:91:wolfdogg
audio:x:92:wolfdogg
optical:x:93:wolfdogg
floppy:x:94:
storage:x:95:wolfdogg
scanner:x:96:wolfdogg
power:x:98:wolfdogg
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:20:
mysql:x:89:
kdm:x:135:
avahi:x:84:
camera:x:97:wolfdogg
dev:x:1000:wolfdogg

while this didnt completely solve the problem, i chmod'ed the templates_c directory to 771 to get it to work. 711 didnt work. so its obviously the 'http' group, which is apparently apache, thats doing the writes. while this is obvious in hindsight, its was hard to reach this point.

would we say that i have it setup properly now?

Last edited by wolfdogg (2011-06-18 23:21:16)

rwd · 2011-06-21 10:20:44

Your question is stated rather confusingly imo. Can you explain in a few sentences examples where the default permissions are a problem, and what the overall goal is you want to achieve?

You might also look into 'setgid' (for setting the default group of new files/folders), 'sticky bit' (to control who may delete a folder and its contents), and 'umask' (setting default permissions of new files/folders).

Last edited by rwd (2011-06-21 10:41:51)

wolfdogg · 2011-06-21 20:52:32

i cant even remember what the default persmissions were honestly. i installed the server manually, and i was having permission errors. after my first adjustment it was working for a while, then i ran into problems. this happened a few times since with my new adjustments, so i redid them.

what im trying to do is set the permissions proper in /srv/http which is the apache hosted directory. it seems its working now like this

the /srv/http/ dir

drwxrwxr-- 6 root http 4096 Jun 17 17:45 http

and the contents

-rw-rw-r-- 1 wolfdogg http 0 Jun 17 17:45 access_log
-rw-rw-r-- 1 wolfdogg http 4997 Jun 21 01:30 apache_error_log
drwxrwxr-- 2 wolfdogg http 4096 Jun 20 15:25 configs
-rw-rwxr-- 1 wolfdogg http 20 Jun 20 15:14 index.php
drwxrwxr-- 8 wolfdogg http 4096 Jun 18 02:39 libs
drwxrwxr-- 2 wolfdogg http 4096 Jun 17 16:51 logs
lrwxrwxrwx 1 wolfdogg http 15 Jun 2 22:21 pear -> /usr/share/pear
-rw-rw-r-- 1 wolfdogg http 5233 Jun 21 02:58 php_error_log
lrwxrwxrwx 1 wolfdogg http 29 Jun 2 16:25 phpmyadmin -> /usr/share/webapps/phpMyAdmin
drwxrwxr-- 17 wolfdogg http 4096 Jun 18 03:05 public_html

there is really 2 requirements that i see so far, and the 3rd just an idea i thought would make things easier in the future.

1. apache needs to write to the files

2. i need to be able to upload and overwrite the files via ftp, from either the local machine, or from another machine on the LAN (yes ftp from the local too, i share my workspace for the IDE)

3. i wanted to use a 'dev' group for my personal user permissions, instead of my user name initially, this way in the case another user wants to access the files all that would have to be done is to add them to that group. (how does this translate? root:dev? and set my username to dev grpup, as well as apache to dev group? in that case i could just set my user to the http group instead i would expect this is the easiest. )

Last edited by wolfdogg (2011-06-21 20:57:21)

rwd · 2011-06-21 22:37:06

Giving apache write access to directories with executable code (i.e. scripts) generally isn't a good idea because a hacker might manage to overwrite them by exploiting bugs in web applications.

For a dev server not connected to the internet that might not be a problem, so you could make everything in /srv/http/ writable for the owning group (http), and make all users who need write access in /srv/http/ a member of that group. In your case that would be the user under which apache runs, and the user under which the ftp server runs (i presume user 'ftp'?), as well as all developers.

To make sure that all files/directories that are created in /srv/http/ get the same default group as the folder containing them (http), and not the group of the user creating them, you can use setgid by 'chmod g+s foldername', or to set it for all folders:

sudo find /srv/http/* -type d  -print0 | xargs --null chmod g+s

But you can use any user/group scheme you find logical. This is just one way to do it. For example on my server apache runs as user 'apache', and the contents of /srv/http are owned by root:http with read access for everyone. This way I can give apache read access only, and give specific users write access by making them member of group http. Only a few specific directories that apache needs to write to, such as cache/upload/settings folders are set to apache:apache.

Last edited by rwd (2011-06-22 14:24:23)

zenlord · 2011-06-22 11:39:56

Interesting question, and I have a problem with apache permissions also (but that I will post in another thread).

I would like to add another possible answer to this problem: ACL's. I don't know much about it, but there must be a reason why they still exist if sticky bits etc. serve the same purpose. I was told that they make it possible to offer a more fine-grained control over the permissions, and just maybe this is a solution for you.

Arch Linux

#1 2011-05-30 01:29:59

choosing a group for web development work on /htdocs layer

#2 2011-06-06 02:18:55

Re: choosing a group for web development work on /htdocs layer

#3 2011-06-06 08:51:17

Re: choosing a group for web development work on /htdocs layer

#4 2011-06-13 23:00:02

Re: choosing a group for web development work on /htdocs layer

#5 2011-06-14 12:40:55

Re: choosing a group for web development work on /htdocs layer

#6 2011-06-14 18:14:25

Re: choosing a group for web development work on /htdocs layer

#7 2011-06-18 22:04:32

Re: choosing a group for web development work on /htdocs layer

#8 2011-06-21 10:20:44

Re: choosing a group for web development work on /htdocs layer

#9 2011-06-21 20:52:32

Re: choosing a group for web development work on /htdocs layer

#10 2011-06-21 22:37:06

Re: choosing a group for web development work on /htdocs layer

#11 2011-06-22 11:39:56

Re: choosing a group for web development work on /htdocs layer

Board footer