[Solved]LAMP users, groups, permission and a lot of confusion

zacariaz · 2012-02-14 23:17:32

I do not understand all the fuzz with Linux users and groups, nor do I believe I will ever do so, but that is usually alright, as it usually do not affect me. What I can not do as a regular user I can do as root.

However, I've just been setting up a LAMP server, so that's another story.

I've tried to add my self to group http, and I do believe I've succeeded, so it's a bit confusing as using the groups command without parameters do not list the http group, but with my username as parameter it does. Maybe I need to restart? (that would be weird)

In any case my user do not have permissions to change stuff in /srv/http - permission denied.

Anyway, I've always had this problem in the past, and I would very much like to know once and for all how it's supposed to be done. Doing everything as root after all isn't very wise.

Best regards.

Last edited by zacariaz (2012-02-15 23:33:41)

zacariaz · 2012-02-15 19:44:15

I realize that this may be a noob question, but I still haven't been able to figure it out, so some help would be appreciated.

As described in the lamp wiki, a user named http has been created and likewise a group. I want to be able to create and edit content in /srv/http/ without having to do so as root. Nothing more, nothing less.

Best regards.

/dev/zero · 2012-02-15 19:59:53

Let's do some sanity checks. (In general, you're better off giving the exact commands you use, and the exact output you receive, than attempting to narrate your problem.)

This will return your current groups, except for your user's group:

groups | sed 's| |\n|g' | grep -v $(whoami)

This will return a list of all installed groups on the system:

awk -F':' '{print $1}' /etc/group

This will display the permissions and ownership for /srv/http:

ls -al /srv/http

hokasch · 2012-02-15 21:12:23

I think you should take the time to get your head around it. Here is a good article which helped me a lot:

A Day in the Life of #Apache - Setting Up File Permissions on Unix

There are different ways to do this, but as far as I understand it the following is a fairly secure setup:
generally, grant write access to a user (or group) editing the content, and allow apache read only access via the "other" bit.
For files/directories which require write access by apache, change group to the apache user and give up all permissions but read write (execute) for the apache group.

It also depends on what content you serve, e.g. for a simple site apache would not need (and should never have) write access at all.
Directories need the execute bit to be accessible. You can change file and directory permissions recursively by running these commands from the http root (!!! be careful, it will change permissions for everything down the current path):

#find . -type f -exec chmod XXX {} \;
#find . -type d -exec chmod XXX {} \;

jstoik1 · 2012-02-15 21:42:55

hokasch wrote:

#find . -type f -exec chmod XXX {} \;
#find . -type d -exec chmod XXX {} \;

Is there a reason one should use exec instead of xargs in this situation? Sometimes I am dealing with tens of thousands of files, and

find /var/www -type f -print0 | xargs -0 chmod 644

is about a magnitude faster than the exec alternative. Thank you for the clarification!

hokasch · 2012-02-15 22:32:55

Frankly, I just copied that from somewhere when I set up my webserver - so I guess there is no reason to use exec over xargs In other words - I have no idea.

Last edited by hokasch (2012-02-15 22:33:29)

zacariaz · 2012-02-15 22:54:48

@/dev/zero

First command outputs, as expected:
wheel
http
games
video
audio
optical
storage
power
users

Second:
root
bin
daemon
sys
adm
tty
disk
lp
mem
kmem
wheel
ftp
mail
uucp
log
utmp
locate
rfkill
smmsp
http
games
network
video
audio
optical
floppy
storage
scanner
power
nobody
users
dbus
avahi
camera
mysql
vboxusers

And thirdly:
total 12
drwxr-xr-x 2 root root 4096 Feb 14 23:40 .
drwxr-xr-x 4 root root 4096 Dec 19 18:44 ..
-rw-r--r-- 1 root root 34 Feb 14 23:30 index.php (not important, just for testing purposes)

I can't say that I fully understand what all this means, except it seems that /srv/http is owned by root, which I don't quite understand.

@hokasch
I agree and I've tried, but somehow I always seem to fail to achieve a greater understanding. Of course I'll make sure to take a look at the link. Much appreciated.

At this point I should probably point out that this is only supposed to be a local development environment, in case that makes any difference.

All in all, the most important part of this is to get an answer as to how this is supposed to work, as it's not the first time I've been confused about this. Usually I just end up doing everything as root, but would be nice to be able to do it the right way, whatever that is.

Best regards.

/dev/zero · 2012-02-15 23:26:00

jstoik1 wrote:

hokasch wrote:
#find . -type f -exec chmod XXX {} \;
#find . -type d -exec chmod XXX {} \;
Is there a reason one should use exec instead of xargs in this situation? Sometimes I am dealing with tens of thousands of files, and
find /var/www -type f -print0 | xargs -0 chmod 644
is about a magnitude faster than the exec alternative. Thank you for the clarification!

This is a bit of a digression, but you can speed up find in these cases by terminating it with a "+" instead of a "\;", like so:

find . -type f -exec chmod XXX {} +

This will collect all the files first and then pass them into exec all at once, like xargs.

Now back to our regular programming ...

zacariaz, first of all, please familiarise yourself with bbcode and use

code blocks, like this.

zacariaz wrote:

drwxr-xr-x 2 root root 4096 Feb 14 23:40 .
drwxr-xr-x 4 root root 4096 Dec 19 18:44 ..
-rw-r--r-- 1 root root   34 Feb 14 23:30 index.php

Here is your problem. Everything in here is owned by root and no one else has permission to modify anything. I suggest give the directory and its contents to the http group, and make the directory and its contents writable by the http group. I think after that, since your user is in the http group, you will be able to edit files just as yourself, without needing to su or sudo.

Explicitly,

sudo chgrp --recursive http /srv/http
sudo chmod --recursive g+w /srv/http

If you run these commands and then run "ls -al /srv/http" again, it should look like this:

drwxrwxr-x 2 root http 4096 Feb 14 23:40 .
drwxr-xr-x 4 root root 4096 Dec 19 18:44 ..
-rw-rw-r-- 1 root http   34 Feb 14 23:30 index.php

Then test to see whether you can do what you want.

zacariaz · 2012-02-15 23:33:25

Well it seems to do the trick, though I'm not quite sure how.

I tried changing the group my self, which did nothing. Suppose I missed write permissions for group. I honestly doubt I'll ever get used to this way of doing things (which is very bad, I know)

Anyway, it works, so thanks a bunch.

I do apologize for not using code boxes. I usually do though.

hokasch · 2012-02-16 09:07:26

I suggest give the directory and its contents to the http group, and make the directory and its contents writable by the http group.

That certainly works, however you have to change group for every new file and apache/http has write access. If your normal user owns everything in the document root, apache can still access it via the default's umask read only "other" bit.

/dev/zero · 2012-02-16 09:36:11

hokasch wrote:

I suggest give the directory and its contents to the http group, and make the directory and its contents writable by the http group.
That certainly works, however you have to change group for every new file and apache/http has write access. If your normal user owns everything in the document root, apache can still access it via the default's umask read only "other" bit.

Could you give an example? I'm having trouble seeing how you're raising a problem. For example, consider this, starting in some "safe" directory like /tmp, with user named "me":

mkdir testing
sudo chown root:http testing
sudo chmod g+w testing
touch testing/a
mkdir testing/b

Running "ls -al testing" then gives:

drwxrwxr-x  3 root http  80 Feb 16 20:31 .
drwxrwxrwt 15 root root 340 Feb 16 20:23 ..
-rw-r--r--  1 me   me     0 Feb 16 20:28 a
drwxr-xr-x  2 me   me    40 Feb 16 20:31 b

Or do you mean when you have some script triggered by php, the script will not have permission to output within the same directory?

hokasch · 2012-02-16 15:04:41

hokasch wrote:

That certainly works, however you have to change group for every new file and apache/http has write access.

My bad - the above is rubbish. if you change group for document root to http and your user is in that group (like you suggested), of course your user can create files there.

About the write access for apache user, no idea how much of a problem it could be (I am in no way an experienced web server admin), but since locking it down to read-only is just as easy I preferred that solution. When I first looked into apache I was setting up Drupal, and it was basically a black box full of php to me. So it seemed good practice not to allow apache more permissions than needed.

Arch Linux

#1 2012-02-14 23:17:32

[Solved]LAMP users, groups, permission and a lot of confusion

#2 2012-02-15 19:44:15

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#3 2012-02-15 19:59:53

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#4 2012-02-15 21:12:23

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#5 2012-02-15 21:42:55

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#6 2012-02-15 22:32:55

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#7 2012-02-15 22:54:48

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#8 2012-02-15 23:26:00

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#9 2012-02-15 23:33:25

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#10 2012-02-16 09:07:26

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#11 2012-02-16 09:36:11

Re: [Solved]LAMP users, groups, permission and a lot of confusion

#12 2012-02-16 15:04:41

Re: [Solved]LAMP users, groups, permission and a lot of confusion

Board footer