0

I recently switched the web server on my CentOS 7 machine from Apache to nginx. Originally, I had added my user account to the apache group and then did a recursive chown to make all files in the public web root belong to the user and group apache. With this, I was able to successfully edit files as my own user without root privileges.

However, the reverse is not working in nginx. I added my user account to the nginx group (as specified in the nginx.conf file) and I was unable to edit existing files, add new files or directories, or anything of the sort. The only workaround was to add my user as the owner of the public web roots. Ideally, I would prefer to just have nginx as the user and group and have my user account be able to access files that way.

Is there a reason I cannot edit files owned by the nginx user and group despite my user account belonging to the nginx group? I am confused about how to debug this further. Thanks.

J.W.F.
  • 328
  • 2
  • 4
  • 15

1 Answers1

1

Because those files don't have group write permission rights.

Can you send a ls -l of the webroot directory?

Fredi
  • 2,227
  • 9
  • 13
  • You can find the output [here](http://paste.fedoraproject.org/287097/46694619). I read that it was safest to run `chmod -R 755` on the public web root - as far as I know, those are the pre-existing permissions. – J.W.F. Nov 05 '15 at 03:37
  • 1
    -rwxr-xr-x. on for example index.html shows there's no w for the group, so no write. 765 would allow writing for the group. See http://peadrop.com/blog/2007/01/02/understanding-linux-file-permissions/ for explanation. Of course, you could also sudo edit the file if yo have sudoer rights. – JayMcTee Nov 05 '15 at 10:28
  • @JayMcTee Thanks, that page was super helpful to understanding permissions better! However, I am now doubly confused - I ran `chmod -R 765` on the public web directories, and for testing purposes, I set the owner and group of the public web directory back to `nginx`. However, now if I try to enter the public web directory as my normal user, I get `Permission denied` and cannot enter. If I run `ls` on the directory, it gives me limited information about the contents. I cannot see the permissions or last edited date of the files. But the group has read+write access now. Any ideas? – J.W.F. Nov 05 '15 at 16:45
  • For clarity, this is what the line of the public web directory looks like now. `drwxrw-r-x. 3 nginx nginx 33 Nov 4 22:32 public_html` And I am definitely sure that my user a member of the `nginx` group. `$ groups jflory nginx` – J.W.F. Nov 05 '15 at 16:45
  • @jflory7, regarding security, it's even better if the nginx user cant write to the files. This way, even if somebody exploits a vulerability on nginx thus getting a shell with nginx's privileges it cant change the website files, so no defacement. And you dont gain much giving write permissions on the group, that is better only if you have more than one user in nginx group because in this situation each user can modify each other's files. – Fredi Nov 05 '15 at 18:04
  • @Fredi I see, that makes sense. So the most secure route would likely be to set the owner of the root web directory to my own user and keep the group as `nginx`. Assuming that is correct, this is what I will do on the machine. However, it's still frustrating that even with group r+w, I cannot edit or even enter the public web directory. Any ideas why that might be so? At this point, I think I almost just want to figure it out just to know why it isn't working. – J.W.F. Nov 06 '15 at 13:57
  • @jflory yes, that solution is even more secure. Beware though if you have uppload directories, in those nginx must have write access. As for why you cant enter the webroot, that means that the webroot directory or one of the directories before in the path, does not give your group or others execute – Fredi Nov 06 '15 at 14:31
  • @Fredi The directory above the `public_html` directory for the actual server block (i.e. assuming hierarchy `../example.com/public_html/` is owned and group set to `root`. Would that be why? – J.W.F. Nov 06 '15 at 20:51
  • @jflory7 never mind the owner, just the permissions set on your id. And, start from root with an absolute path. ex: /var/www/whatever/html – Fredi Nov 06 '15 at 23:42