User Permissions: Daemon and User

4

2

I often run into this issue on Linux, and I'd love to know the proper way of solving it.

Say I have a daemon running. In my example, I'll use LigHTTPD, a webserver.

Some software, like Wordpress, enjoys having read/write access to files for updating applications via a web interface, which I think is quite handy.

At the same time, I enjoy being able to hack on my files using vim, using my local user account, 'eddie'.

Herein lies the rub. Either I chown everything to lighttpd or eddie and a shared group between them both, and chmod it 660, or perpetually sudo to edit the damned things. The former isn't a bad solution, until I create a new file in which case I have to remember to chmod it appropriately, or create some hack like a cron job that chmods for me.

Is there an easier way of doing this? Have I overlooked something?

Cheers,

-e-

Eddie Parker

Posted 2010-03-23T07:17:56.193

Reputation: 2 074

you can probably do something with ACLs (filesystem dependent) to make access simple(r), but that's a ball of fun i've yet to tangle with, so hopefully someone else will enlighten us. – quack quixote – 2010-03-23T07:35:03.403

Yes it can be done with ACLs too, but most distros do not enable them by default and I think it's more difficult. It also allows more fine grained control though. See man setfacl if you're interested. – Kim – 2010-03-23T07:54:00.510

Answers

3

In fact there is a way to auto-chown files created in a certain directory. Let's say the files you want lighttpd to be able to access are in /var/www. Then you set the group of /var/www to your group and set the SGID bit on /var/www. You will probably want to do this recursively for subdirs. I'm assuming the group is www-data.

chgrp -R www-data /var/www
chmod -R g+s /var/www

This will just set the group however. To give newly created files 660 permissions by default you can set your umask to 007. Add this line to ~/.bashrc:

umask 007

Kim

Posted 2010-03-23T07:17:56.193

Reputation: 2 238

Interesting. I've only vaguely heard of the SGID bit, so that's good info to get.

As for umask, how does that work with the lighttpd process in this case? How do I set a umask for non users? – Eddie Parker – 2010-03-23T08:37:26.867

1I'm no expert on lighttpd and a process can change its own umask at will, but you could try adding the umask command to lighttpd's startup script. If that doesn't help, have a look at lighttpd's or wordpress' documentation. – Kim – 2010-03-23T11:52:20.860

Alright, thanks Kim. Very concise answer and exactly what I was looking for. I'll noodle with the server side, but at least the SGID bit will get me 90% of the way there. – Eddie Parker – 2010-03-23T17:37:04.703

I believe it should be chmod g+s /var/www (without -R) to avoid setting the non-directory files under /var/www to setgid, i.e. -rw-rwSr--. And the command should be manually re-issued for every directory under /var/www. – PJ_Finnegan – 2019-03-31T21:02:00.403

Asked: 2010-03-23T07:17:56.193

Viewed: 8 518 times

Active: 2010-03-23T07:36:28.220