You are not logged in.
- Topics: Active | Unanswered
#1 2016-09-25 19:17:05
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
[SOLVED] Apache permissions clash with development requirements
Hi guys, I'm trying a web IDE (codiad) to start the development of a web application in Ruby on Rails via my web-browser. This is a simple php app and runs in /srv/http/www/codiad
I set the following ownership: http:http. So both user and group are http, the webserver. I can now successfully edit and save files via the webbrowser.
Problem: If I change owner:group settings to myusername:http instead, I can no longer edit/save files because the permissions are 755 for directories and 644 for files. So basically the group (http) can read but not write to my files. This behaviour is expected but annoying because my ruby on rails environment requires the owner to be myusername, otherwise I can't run commands like "rails new appname" or similar commands.
In short: codiad requires http:http but rails requires myusername:http
How would you tackle this problem to make them play together? Is working with a Userdir the way to go or does that also require http:http ownership?
Last edited by Cobra (2016-09-26 14:04:38)
Offline
#2 2016-09-26 09:36:13
- beta990
- Member
- Registered: 2011-07-10
- Posts: 207
Re: [SOLVED] Apache permissions clash with development requirements
Why not chown dirs to 775 and files to 664?
Offline
#3 2016-09-26 13:13:58
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
Re: [SOLVED] Apache permissions clash with development requirements
Why not chown dirs to 775 and files to 664?
Some files need tighter security. e.g. config files with API keys, passwords, etc...
But I like your suggestion. I did the following to make it all work:
# Go to target directory
cd /path/to/my/destination
# Change owner and group of current directory and subdirs
sudo chown -R myusername:group .
# Change default permissions of current directory and subdirs (rwxrwxr-x)
find . -type d -exec sudo chmod 775 {} +
# Do the same for files in current directory and subdirs (rw-rw-r--)
find . -type f -exec sudo chmod 664 {} +
# Make sure that in the future, all new directories and files will inherit myusername:group settings of current directory and subdirs
sudo chmod -R g+ws .
# Make sure that in the future, all new files in current directory and subdirs will inherit 664 permissions (rw-rw-r--)
sudo setfacl -R -b -d -m o::rX -m u::rwX -m g::rwX .Offline
#4 2016-09-26 13:20:23
- ayekat
- Member
- Registered: 2011-01-17
- Posts: 1,589
Re: [SOLVED] Apache permissions clash with development requirements
So basically the group (http) can read but not write to my files. This behaviour is expected but annoying because my ruby on rails environment requires the owner to be myusername, otherwise I can't run commands like "rails new appname" or similar commands.
Why can't the http user run those commands? Wouldn't fixing that problem solve the rest?
Offline
#5 2016-09-26 13:27:06
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
Re: [SOLVED] Apache permissions clash with development requirements
Cobra wrote:So basically the group (http) can read but not write to my files. This behaviour is expected but annoying because my ruby on rails environment requires the owner to be myusername, otherwise I can't run commands like "rails new appname" or similar commands.
Why can't the http user run those commands? Wouldn't fixing that problem solve the rest?
Then the http user would need additional permissions to install (ruby/rails) gems and dependencies. I'd like to prevent my http user from doing anything on the server (or as little as needed) in case of a breach. I believe that's also how apache was designed to work.
Last edited by Cobra (2016-09-26 13:27:47)
Offline
#6 2016-09-26 13:38:46
- ayekat
- Member
- Registered: 2011-01-17
- Posts: 1,589
Re: [SOLVED] Apache permissions clash with development requirements
OK, I guess that's the downside of using a development environment where editing a project and installing project dependencies are coupled to the same user...
Although, where are ruby gems installed? Aren't they local to a user anyway?
Offline
#7 2016-09-26 13:50:00
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
Re: [SOLVED] Apache permissions clash with development requirements
OK, I guess that's the downside of using a development environment where editing a project and installing project dependencies are coupled to the same user...
Although, where are ruby gems installed? Aren't they local to a user anyway?
Yeah they are in /home/myusername/.gem
If you use bundler, they can also be installed in the webproject in vendor/
Offline
#8 2016-09-26 14:26:31
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,769
Re: [SOLVED] Apache permissions clash with development requirements
beta990 wrote:Why not chown dirs to 775 and files to 664?
Some files need tighter security. e.g. config files with API keys, passwords, etc...
But I like your suggestion. I did the following to make it all work...
This works well, but be advised that pacman will generate warnings about permission mismatch if it needs to touch any of those files.
Ignoring those warnings is generally safe, but any new files installed by pacman would need to be adjusted manually.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline