Having a hard time with permissions to create dir and files in www

AJCR · 2013-05-22 15:18:48

Having a hard time getting permissions to create directories and files in www folder:

I followed the following guide here: https://www.digitalocean.com/community/ … arch-linux and here: https://www.digitalocean.com/community/ … arch-linux

So now I have a LEMP stack which runs fine and I have my root account secured and a new username "adriano". If I SFTP into the server using the username adriano, I am unable to create any files or directories. Trying to do a simple wordpress install doesn't work because I need to be able to create a folder for it, and a wp-config.php file. Both of which, like I mentioned, I do not have permissions to do. Yes, the username "adriano" has been added to the sudoers file via visudo.

I've never been very good at UNIX permissions so I was wondering if maybe someone can help me out?

Also, since I am using nginx it does not seem like I have a www-data group or user and my www folder is /usr/share/nginx/

Thank you,
AJ

WonderWoofy · 2013-05-22 15:22:03

Why not just change users with "su". Just type "su" and it will ask for the root password. Either that, or if you are part of the sudoers file and specified group, you should be able to use "sudo su" to elevate your status on the machine.

gsgleason · 2013-05-22 15:57:57

You could use an acl to allow that user to read/write/execute to the document root for the web server, whatever that may be.

as root:
setfacl -m u:adriano:rwx /path/to/www/docroot

drcouzelis · 2013-05-22 16:39:29

AJCR wrote:

Having a hard time getting permissions to create directories and files in www folder.
So now I have a LEMP stack which runs fine and I have my root account secured and a new username "adriano". If I SFTP into the server using the username adriano, I am unable to create any files or directories. Trying to do a simple wordpress install doesn't work because I need to be able to create a folder for it, and a wp-config.php file. Both of which, like I mentioned, I do not have permissions to do. Yes, the username "adriano" has been added to the sudoers file via visudo.
I've never been very good at UNIX permissions so I was wondering if maybe someone can help me out?

You can learn about file permissions in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Fi … Attributes

Do you know about and understand the "su" and "sudo" commands?

gsgleason wrote:

You could use an acl to allow that user to read/write/execute to the document root for the web server, whatever that may be.

AAAAAHHHH! ACL scares me so much, and, in my opinion is WAY overkill for the OP's simple question.

Last edited by drcouzelis (2013-05-22 16:46:51)

WonderWoofy · 2013-05-22 17:34:24

drcouzelis wrote:

AAAAAHHHH! ACL scares me so much, and, in my opinion is WAY overkill for the OP's simple question.

I agree that this is waaaayyy overkill for what the OP is asking. The OP indicated that his/her *nix permissions skills were not so good. So suggesting the most complex part of *nix permissions is probably not the way to go. It is better to start with the basics I think.

AJCR · 2013-05-22 18:09:09

Well, you guys are awesome for being so helpful. The ACL method worked. I added -R to the command to recurse into two subdirectories inside the docroot. All in all, I now have permissions to properly edit/create files and directories. Thank you very much, gsgleason. Also, I didn't really understood what WonderWoofy said by:

Why not just change users with "su". Just type "su" and it will ask for the root password. Either that, or if you are part of the sudoers file and specified group, you should be able to use "sudo su" to elevate your status on the machine.

If I'm not mistaken this isn't really possible in FileZilla. The main issue I was having is that I was SFTP-ing into the server through filezilla so I could manipulate some files and upload the wordpress install package. However, it seemed like only ROOT had rights to do anything inside of those folders so that's why I needed to execute that ACL command.

However, I am not sure this is server "best practices", is it? Would would be the so called "best practices"? Should my adriano username have rights to the folders like it has now after that ACL command? Who should own the web directory? Who should and shouldn't have rights to read/write in those directories, etc?

Regardless, thank you so much for the help.

WonderWoofy · 2013-05-22 18:15:01

You didn't mention anything about filezilla. That changes things entirely. I am not actually familiar with filezilla, as I just use the command line, but I would have to imagine that there are some things that are different when using that as the client. There is also a difference between using /usr/lib/ssh/sftp-server and the internal-sftp function, as the internal doesn't have quite as much functionality I believe.

I think that if your adriano is going to be the administrator of that www directory, you should create a group to give yourself access to that directory. Just create the group, put yourself into it, then recursively chgrp the /srv/www/ directory with that group. Oh and then of course give the group full rwx permissions.

AJCR · 2013-05-22 18:23:44

I apologize, you're right. For some reason I assumed that when I mentioned that I SFTPed into the account to edit some files you guys would have known what I meant. Should have been more detailed. Well, yeah. That's what I am trying to do. If I go through with what you said above should I somehow first revert the changes that ACL made? (I don't know how to do that.) And should this new group name have a specific name?

P.s. As some of you might be able to tell, I am a bit of a noob when it comes to server things and permissions. I have been using arch for years and ubuntu a few years before and I have rarely ever needed to do anything involving permissions and when I did, it was copy and paste commands.

Thanks!

WonderWoofy · 2013-05-22 18:55:28

I don't think you'll have to undo the ACL, as it will just enure access on top of acces that you are already granted.

When you say that you SFTPed into the account, yes I knew what you were talking about, but I assumed (since you didn't specify) that you were using the native sftp tools that are included with openssh.

BTW, you should probably not get into the habit of blindly copy and pasting things when you don't understand what they do. Not only this dangerous, but as you can now see, you now have made a change that you don't necessarily know how to undo.

drcouzelis · 2013-05-22 19:50:05

WonderWoofy wrote:

BTW, you should probably not get into the habit of blindly copy and pasting things when you don't understand what they do.

I, too, want to add a little warning: As far as I can tell, you are creating a public website and SSH server and, by your own confession, you do not understand security. If that is the case, please consider studying and learning more about security before the hordes of hackers come knocking on your server. I have a website and SSH server myself, and even though I studied security quite a bit I'm still uncomfortable with my level of knowledge.

So, for clarification: Are you the owner of the server you are working on? In other words, do you have the root password for the server?

AJCR wrote:

The main issue I was having is that I was SFTP-ing into the server through filezilla so I could manipulate some files and upload the wordpress install package. However, it seemed like only ROOT had rights to do anything inside of those folders so that's why I needed to execute that ACL command.

Log in using SSH, become root, change the permissions on the directory, and then use SFTP.

AJCR · 2013-05-23 02:49:24

No, no, you guys misunderstand me. I am not that much of an oblivious person. 95% of the time I understand EXACTLY what the code that I am copying and pasting does. And when I don't, I look into it further before executing said commands. I just tend to not remember commands so I google them, see examples, and then copy and paste them to avoid the busy work of typing out long strings. For example, it took me like 6 months to remember that to untar a .tar.gz file it was -xvfz.

But I digress. drcouzelis, I do have root access. It's my own VPS. However, I have always used shared hosting through different hosting providers and now that I got a VPS and have to do everything myself, I am a little bit lost.

I followed what wonderwoofy said and created a www-data group, added the adriano user to said group, and changed the owner of my http server root to www-data, and I SFTPed into the server again with filezilla and it still works perfectly. However, those "hordes of hackers" drcouzelis warned me about does not sound pleasant so I am really really really hoping one of you guys can tell me the next steps. Root login is disabled in the /etc/ssh/sshd_config file, and I also changed the port to a random port I created. My web files are all served from /usr/share/nginx/ (there are different folders in there that correspond to different domains.) Now what I am wondering is that if user "adriano" is in the sudoers file as ALL=(ALL) ALL, doesn't that pretty make adriano the same as the root user? The reason why I am so worried about this is because I heard/read countless times that working through the root user is BADDDDDDDDDD and will bring evil and shame upon your life (not in those exact words) and that you should never work with it. Also, do I have to worry about anything dealing with groups and/or users and/or permissions when it comes to PHP? I have php-fpm installed.

I am willing to buy anyone who can help me out with this a beer or two and I will be forever in your debt.

Thank you,
AJ

Last edited by AJCR (2013-05-23 02:52:03)

qinohe · 2013-05-23 12:41:24

However, those "hordes of hackers" drcouzelis warned me about does not sound pleasant so I am really really really hoping one of you guys can tell me the next steps. Root login is disabled in the /etc/ssh/sshd_config file, and I also changed the port to a random port I created

oh my, this is one of those questions almost impossible to answer, do you realize that?
Really there is so much more to security, you would be blow off your chair!
Disabling root access to SSh is just one horde to take, you can do a lot more with that file!
But what is the need in telling you, if you didn't read about it, so have no knowledge about it!
So, you should read up on the following;

How to secure SSH
How to secure WWW
How to use permissions
How to use a firewall
How to secure parts of to filesystem
How to remove all users including root from the server

This list is far from complete, in fact it just merely touches some points!!

If you are serving to the outside world, you're always a possible hackable target, the only thing to do is try and make the hole as small as possible!
Oh, and choosing another port for you're service will only slow em down, not stop em!
So, I always use the port that goes with the service! Hence, if I use Webrick with SSL, I always put it on 443, just an example!

drcouzelis · 2013-05-23 13:03:31

@qinohe That sounds like good advice.

@AJCR It sounds like you already know almost as much as I do (I don't know if that's good for you or bad for me ), but I have done one extra step: I created a firewall using the Linux kernel iptables functionality, and I blocked many IP addresses. Shortly after setting up my server, I noticed it was getting pinged many many times a day from places like China, and I don't know anyone who would be accessing my website from China. So, I got a list of every IP address by country and blocked all of the ones I don't want to give access to. I admit I have a lot more to learn and I don't know how much my firewall helps.

qinohe · 2013-05-23 13:24:45

I created a firewall using the Linux kernel iptables functionality,

Now this I think you did well!

and I blocked many IP addresses. Shortly after setting up my server, I noticed it was getting pinged many many times a day from places like China, and I don't know anyone who would be accessing my website from China. So, I got a list of every IP address by country and blocked all of the ones I don't want to give access to.

This is questionable! Better is to start on the other end/start, give those rights that need them, and others none or less. Blocking parts of your server to particular people on the forehand sounds very bad to me, and it gives a feeling of not understanding what you are doing, so than we do this! No, all rights on files should be right and that sort a things, but we're talking somewhere 'a mile of the middle' now!
Would be something if Arch server admin says, I don't trust people from Australia, so lets block the whole continent! Get my picture;)
What I mean is you're advice will probably only be the right one for very very specific cases!

AJCR · 2013-05-23 21:35:21

Guys, thank you all for being so helpful. qinohe I will definitely look into those points you mentioned and try to brush up on it as much as I can. I have another question: how do those large hosting companies like HostGator lock up their systems? I mean, they host thousands of websites. They must have certain "best practices" that they use and certain techniques and strategies.

qinohe · 2013-05-24 11:28:27

The same way you lock down your servers/services, they do big time;)
But they won't share all that with us, probably!
Most info, if not all can be found floating around the net.
For myself, I certainly do not implement all security, I weigh things against each other.
What I say is, I'm not hosting a POS, nor am I an advocate or do I host files that are secret in any way.
So, I don't need to implement all possible security!
This debian security guide helped me a lot

Arch Linux

#1 2013-05-22 15:18:48

Having a hard time with permissions to create dir and files in www

#2 2013-05-22 15:22:03

Re: Having a hard time with permissions to create dir and files in www

#3 2013-05-22 15:57:57

Re: Having a hard time with permissions to create dir and files in www

#4 2013-05-22 16:39:29

Re: Having a hard time with permissions to create dir and files in www

#5 2013-05-22 17:34:24

Re: Having a hard time with permissions to create dir and files in www

#6 2013-05-22 18:09:09

Re: Having a hard time with permissions to create dir and files in www

#7 2013-05-22 18:15:01

Re: Having a hard time with permissions to create dir and files in www

#8 2013-05-22 18:23:44

Re: Having a hard time with permissions to create dir and files in www

#9 2013-05-22 18:55:28

Re: Having a hard time with permissions to create dir and files in www

#10 2013-05-22 19:50:05

Re: Having a hard time with permissions to create dir and files in www

#11 2013-05-23 02:49:24

Re: Having a hard time with permissions to create dir and files in www

#12 2013-05-23 12:41:24

Re: Having a hard time with permissions to create dir and files in www

#13 2013-05-23 13:03:31

Re: Having a hard time with permissions to create dir and files in www

#14 2013-05-23 13:24:45

Re: Having a hard time with permissions to create dir and files in www

#15 2013-05-23 21:35:21

Re: Having a hard time with permissions to create dir and files in www

#16 2013-05-24 11:28:27

Re: Having a hard time with permissions to create dir and files in www

Board footer