3

I followed this link to change group/user permission to add my self to www-data group but I am still unable to edit contents in /var/www , specially with uploaded content.

This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.

While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE

My login account user and group name is debianaut:

 groups www-data
 www-data : www-data debianaut

 groups debianaut
 debianaut : debianaut www-data

I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .

please help resolve this issue

Community
  • 1
  • 1
sakhunzai
  • 11,985
  • 19
  • 85
  • 142

4 Answers4

3

I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.

While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:

  • Change the group used while running in a shell
  • Change the user's default logon group
  • Use ACLs

New Group in a Shell

In order to operate as a different user after starting a shell, use newgrp.

Change default Group

In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).

ACLs

You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:

setfacl -R -m u:debianaut:rwx /var/www

By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.

Inheriting ACLs

Following the post here lead to the answer for inheriting ACLs.

The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:

setfacl -R -d -m u:debianaut:rwx /var/www
Community
  • 1
  • 1
ash
  • 4,078
  • 1
  • 17
  • 29
  • I me check the ACLs thing , it seems promising – sakhunzai Sep 06 '13 at 10:29
  • The only thing I don't like about ACLs is they are an extension, so they can confuse if you forget they are in-use. Otherwise, they are a great way to solve problems like this, in my opinion. – ash Sep 06 '13 at 14:34
  • It seems its not working as I expected, e.g when I upload a file through php+apache , its owned by www-data:www-data ,so I could not edit that file from IDE. I tried the ACL stuff , I seems i have run this command each time I upload a new file, which I do not want. – sakhunzai Sep 06 '13 at 17:27
  • `drwxr-sr-x 5 www-data www-data 4096 Sep 6 22:21 mod_*` file permission for uploaded director – sakhunzai Sep 06 '13 at 17:30
  • `-rw-r--r-- 1 www-data www-data 418 Sep 6 22:21 style.css` permission for a file in that directory – sakhunzai Sep 06 '13 at 17:31
  • Sorry - I missed that point. It seems the "default ACL" is what you want; default ACLs are inherited. See the updates in the answer. – ash Sep 06 '13 at 19:22
  • after that I have sth like this:`drwxr-sr-x+ 2 www-data www-data 4096 Sep 7 00:59 css -rw-rw-rw-+ 1 www-data www-data 2332 Sep 7 00:59 error.php ` for uploaded files ,still same issue with editing – sakhunzai Sep 06 '13 at 20:02
  • Can you give the output of `ps -eo pid,cmd,uid,gid | grep -i eclipse` (if eclipse, otherwise change to the name of the IDE program)? And the output of `getfacl` on the newly created file that fails to edit? – ash Sep 06 '13 at 20:25
  • `ps -eo pid,cmd,uid,gid | grep -i phpstorm` => `6401 /opt/IntelliJ/PhpStorm-129. 1000 1000 8659 grep -i phpstorm 1000 1000` – sakhunzai Sep 06 '13 at 20:50
  • How about the `getfacl` output? Can you confirm the user and group names both with id 1000? – ash Sep 06 '13 at 22:23
  • `# file: var/www` `# owner: root` `# group: www-data` `# flags: -s-` `user::rwx` `user:debianaut:rwx` `group::rwx` `mask::rwx` `other::r-x` `default:user::rwx` `default:user:debianaut:rwx` `default:group::rwx` `default:mask::rwx` `default:other::r-x` – sakhunzai Sep 07 '13 at 03:07
  • 1000:1000=>that is the `ID` for `debianaut:debianut` – sakhunzai Sep 07 '13 at 03:12
  • I would like to catch you later for discussion on this , for while I grant u bounty for your support and get/setfacl stuff ,thanks – sakhunzai Sep 07 '13 at 03:16
  • Everything provided looks good so far. Can you create a new file under /var/www and provide the `getfacl` output for that file? – ash Sep 07 '13 at 04:53
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/36967/discussion-between-sakhunzai-and-ash) – sakhunzai Sep 07 '13 at 05:28
2

I think you should change your umask to 0002:

umask 0002

This could also be useful.

Community
  • 1
  • 1
Alma Do
  • 35,363
  • 9
  • 65
  • 99
  • Changing the umask for the whole system just because of simple permission problem doesn't appear to me as a good solution. – Kristopher Aug 14 '13 at 09:55
  • Will this be any security issue ? – sakhunzai Aug 14 '13 at 09:57
  • You can change umask only for one user. For example, put that into `~/.bashrc` script. – Alma Do Aug 14 '13 at 10:00
  • You should set the umask to this only for the process that writes the files. In joomla's case put that's the apache running mod_php. Put `umask(0002);` somewhere in your joomla `configuration.php`. – Chris Wesseling Sep 02 '13 at 21:00
0

For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584

Kristopher
  • 8,450
  • 11
  • 42
  • 74
  • no luck of such permission setting with j3.1 , I think it is removed bcz of possible security issue – sakhunzai Aug 14 '13 at 10:12
  • Then check if you have /etc/suphp.conf or /etc/suphp/suphp.conf file. If so, change the umask value there to 0022. – Kristopher Aug 14 '13 at 10:23
0

There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.

1) Just take ownershop of /var/www for your userid that will edit the files.

2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.

covener
  • 16,079
  • 2
  • 27
  • 40
  • "unnecessary" is secondary thing here , I need to know HOW this could be achieved in simple words ,step by step. If I am member of a group why I am not getting same rights, if not how to get those rights. please elaborate your answer with actual commands – sakhunzai Sep 02 '13 at 03:45
  • "If I am member of a group why I am not getting same rights" You never showed a single file or directory that had any special rights assigned to www-data. However, there shouldn't be special rights for www-data. I don't know why you think this is some secondary thing. – covener Sep 06 '13 at 13:03