3

I have a network of sites where all sites share same "images" folder. I have created /home/_images/entities and symlinked it from all websites, and it works great with Apache, when I open /images/ on any of the sites I get list of images and can view them.

The problem is suPHP which changes process ID of the PHP script to the file owner ID, so when I load site1.com, all scripts are executed as user1 (and files/folders created with those scripts belong to user1:user1). When I load site2.com, all scripts are executed as user2 (and files/folders created with those scripts belong to user2:user2). All these users do NOT belong to the same group, and I wouldn't like to change that as it is cPanel/WHM server so I'm afraid I'll screw something up if I change (primary?) group of all users.

Therefore I need to set it up in such way that all newly created folders and files under /home/_images/entities (owned by root) have read/write permissions for everyone.

Here's the command I used:

setfacl -Rdm o::rwx /home/_images/entities

To check it:

root@server1 [~]# getfacl /home/_images/entities/
getfacl: Removing leading '/' from absolute path names
# file: home/_images/entities/
# owner: root
# group: root
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

This looks fine, however when I try upload an image via site1.com it looks like this:

root@server1 [/home/_images/entities]# ls -l
total 24
drwxrwxrwx+ 5 root    root    4096 Jan 14 06:25 ./
drwxrwxrwx  5 root    root    4096 Jan 12 13:08 ../
drwxrwxr-x+ 3 user1   user1   4096 Jan 14 06:25 1/

And in folder "1" is the image (and thumbs folder):

root@server1 [/home/_images/entities/1]# ls -l
total 236
drwxrwxr-x+ 3 user1   user1     4096 Jan 14 06:25 ./
drwxrwxrwx+ 5 root    root      4096 Jan 14 06:25 ../
-rw-rw-rw-  1 user1   user1   225569 Jan 14 06:25 689048f221ab7c556f4d482a9d92b2d6.jpg
drwxrwxr-x+ 2 user1   user1     4096 Jan 14 06:25 thumbs/

My questions:

1) Why newly created folders do not have "write" permissions for everyone else [not user and/or group]? If I upload first image from site1.com, then I can't upload other images from any other site, while all sites can display them.

2) What is the + at the end of permissions list? (drwxrwxr-x+)

3) Why newly created files have only "rw" permissions for user, group AND everyone else, and not execute permissions? I don't actually need execute flag set here, but from my command you can see I've set "o::rwx" so it should be there (or not?)

Actually the real problem is #1 - other users can't write to this folder so users can't upload images from other sites nor other sites can create (missing) thumbnails.

Avram
  • 141
  • 4
  • [Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Mar 23 '15 at 21:52

1 Answers1

1

  1. Applications, in this case suPHP, can override the defaults and explicitly set the permissions they want. If suPHP is forcing the permissions for "other" to be something besides what you want, a workaround is to add an ACL for a different group, say users, that contains user1 and all of the other users you want:

    setfacl -Rdm g:users:rwx /home/_images/entities

    Then suPHP is likely to leave that permission alone. Note that this is also better from a security standpoint, because you're granting write permission only to the users group, instead of to the world.

  2. The + means that an ACL is present, so other permissions are in effect besides the ugo set that are listed. You'll have to run getfacl to see them.

  3. I think this is the same answer as #1: Because suPHP is explicitly overriding the execute permission. The same solution as for #1 should apply.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Thank you very much for your answer! Do I need to change primary group for all users to "users", or I should just create that group and add them to the group? I.e. Does permissions apply only to primary group or to any group user is member of? – Avram Jan 14 '15 at 15:23
  • Any group that your users are all a member of will work. – Andrew Schulman Jan 14 '15 at 15:33
  • Hah, that worked! Thank you sooooo much, I have asked this on three linux-related websites and got no answers in three days. I love you :D an I love flexibility of linux! – Avram Jan 14 '15 at 15:40
  • Yay! Glad it worked. – Andrew Schulman Jan 14 '15 at 15:51