0

Guys I have a linux dedicated server.

There are multiple users who manage specific directories on the server.

But if a user uploads something, for example a plugin/library. When it is executed it makes sub directories which are required by that plugin/lubrary. User don't have permissions to that directory.

How to automatically put 775 permissions to all directories?

Waleed
  • 1
  • You can do that with umask or [the sticky bit](http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-var/65416#65416) but most likely it's a better idea to restructure things so that all web-writable folders are in/under the same place. – AD7six May 31 '14 at 08:52

5 Answers5

5

The umask of the server receiving the uploads must be set to 002, then newly created directories will get permissions 775.

kasperd
  • 29,894
  • 16
  • 72
  • 122
0

find /path/to/base/dir -type d -exec chmod -R 755 {} +;

will change permissions for folders recursively. You can set up a cron job to do this automatically or simply execute it from the plugin root directory as needed.

symlynk
  • 176
  • 6
  • That's a (common) way to do it, but hardly good advice IMO. For example any requests inbetween files being uploaded and the cron running will encounter permission errors. -1. – AD7six May 31 '14 at 08:59
  • Usually cron jobs are set to run in the middle of the night when no new files are being uploaded. If there were a conflict, running the command yourself would fix it. – symlynk May 31 '14 at 09:03
  • 2
    So, a user uploads something at 9am and for the rest of the day there are permission errors. Does that sound like the right solution? – AD7six May 31 '14 at 09:03
  • Like I said, this can be run via cron job *or* manually to fix errors on the fly. – symlynk May 31 '14 at 09:05
  • cron job or manually != on the fly – ADM May 31 '14 at 11:08
  • 1
    Read the google definition: `while in motion or progress`. A manual updated would be 'on the fly'. – symlynk May 31 '14 at 11:13
  • 1
    if you think that admin will sit there in a "Ready, Steady, Go!" position, waiting for any changes in the file system... so cron job or manually != while in motion or progress != on the fly – ADM May 31 '14 at 13:30
  • We're arguing semantics here. If you have a better solution then post your own answer instead of lurking in the comments section. – symlynk May 31 '14 at 18:12
  • Cron jobs to fix permissions are almost invariably the wrong answer. That road leads to all manner of badness - it's very easy to end up with a job running too frequently, doing in depth file system traversals to no good purpose. And really hurting your storage infrastructure as a result. – Sobrique Jun 18 '14 at 12:25
0

add user to apache/php group

usermod -g group username

keep an eye on uploaded files

/usr/bin/inotifywait -e create -e attrib \
    -mrq /home/project/public_html/plugins | while read file; do
    echo -n "$file " >> /var/log/uploads_monitor.log
    echo `date | cut -d " " -f1-4` >> /var/log/uploads_monitor.log
    chmod 775 $file >/dev/null 2>&1
done
ADM
  • 1,353
  • 12
  • 16
0

You might need to consider using file system access control lists (setfacl command). This way your changes will affect only the directories you want changed, and won't have the unwanted impact on the whole system, say if you had changed the umask value.

For instance, if your users belong to a specific group, you can give that group a 'rwx' on the parent directory and its descendants. This way any file or directory created will automatically have 'rwx' for any user belonging to that group.

setfacl  -R -m g:groupname:rwx /shareddirectory
setfacl  -d -m g:groupname:rwx /shareddirectory

You can customize this to fit your scenario. My point here is setfacl might have the options you need.

Daniel t.
  • 9,061
  • 1
  • 32
  • 36
-1

I would suggest that you look at ruid2 (pre-built packages), which allows all HTTP requests to a domain to run as the owner of that domain instead of as the Apache user. One of the complaints about this is that it will not run properly with FastCGI.

This is how I loaded it on a CentOS 6 x86_64 server:

  1. As root cd to /root
  2. Download the latest atomic-release rpm from http://www6.atomicorp.com/channels/atomic/centos/6/x86_64/RPMS/
  3. Install atomic-release rpm: rpm -Uvh atomic-release*rpm
  4. Install mod_ruid2 rpm package: yum install mod_ruid2

This will result in these files on your OS:

  1. /etc/httpd/conf.d/ruid2.conf
  2. /usr/lib64/httpd/modules/mod_ruid2.so
  3. /usr/share/doc/mod_ruid2-0.9.1/
  4. /usr/share/doc/mod_ruid2-0.9.1/LICENSE
  5. /usr/share/doc/mod_ruid2-0.9.1/README

After you install mod_ruid2-0.9.6-3.el6.art.x86_64 (or current version) run the command `apachectl -t -D DUMP_MODULES`

Look for something like this to result:

Loaded Modules:
  core_module (static)
  mpm_prefork_module (static)
  http_module (static)
  so_module (static)
  auth_basic_module (shared)
  auth_digest_module (shared)
  authn_file_module (shared)
  authn_alias_module (shared)
  authn_anon_module (shared)
  authn_dbm_module (shared)
  authn_default_module (shared)
  authz_host_module (shared)
  authz_user_module (shared)
  authz_owner_module (shared)
  authz_groupfile_module (shared)
  authz_dbm_module (shared)
  authz_default_module (shared)
  ldap_module (shared)
  authnz_ldap_module (shared)
  include_module (shared)
  log_config_module (shared)
  logio_module (shared)
  env_module (shared)
  ext_filter_module (shared)
  mime_magic_module (shared)
  expires_module (shared)
  deflate_module (shared)
  headers_module (shared)
  usertrack_module (shared)
  setenvif_module (shared)
  mime_module (shared)
  dav_module (shared)
  status_module (shared)
  autoindex_module (shared)
  info_module (shared)
  dav_fs_module (shared)
  vhost_alias_module (shared)
  negotiation_module (shared)
  dir_module (shared)
  actions_module (shared)
  speling_module (shared)
  userdir_module (shared)
  alias_module (shared)
  substitute_module (shared)
  rewrite_module (shared)
  proxy_module (shared)
  proxy_balancer_module (shared)
  proxy_ftp_module (shared)
  proxy_http_module (shared)
  proxy_ajp_module (shared)
  proxy_connect_module (shared)
  cache_module (shared)
  suexec_module (shared)
  disk_cache_module (shared)
  cgi_module (shared)
  version_module (shared)
  fcgid_module (shared)
  perl_module (shared)
  php5_module (shared)
  python_module (shared)
  ruid2_module (shared)
  ssl_module (shared)

If it's there, you're good to go.

Next, make the required additions to the ruid2.conf file.

Note that since Plesk set my master account up using the /var/www/vhosts/mydomain.com/httpdocs path, I added this first:

<Directory /var/www/vhosts/mydomain.com/httpdocs>
  RMode stat
  RUidGid apache apache
  RGroups apache psaserv
</Directory>

Then, it set up additional domain websites using the /var/www/vhosts/mydomain.com/myotherdomain.com path, so I added this for each of those:

<Directory /var/www/vhosts/mydomain.com/myotherdomain.com>
  RMode stat
  RUidGid apache apache
  RGroups apache psaserv
</Directory>
Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55
NeedSomeHelp
  • 21
  • 3
  • Indeed. The previous revision was better, though it could probably still use some cleaning up. – Michael Hampton Jun 03 '14 at 20:47
  • Since the answer received a negative rating, I believed that I had assumed too much about the user's ultimate goal. With that understanding, the post's detail seemed more a distraction than a help, but it's fine to leave; it's a cut and paste that I published over at LinuxQuestions a couple of years ago. – NeedSomeHelp Jun 04 '14 at 17:49