Linux directory access question

I have a linux system with apache installed and i store web files in /home/username/www/sitename/htdocs. For this to work my /home/username has read and execute permissions for everyone. I know it's bad idea, but i'm the only user on the system so ... i don't really care and i wouldn't know how else to do it. But the fact is i need to create another user. The problem with that, obviously, is that the new user has access to old user's files. Is there any way i could only allow apaches www-data user and my own user to access /home/username? Here's what i've tried:

i created a group webusers
i added my username and www-data to webusers
i removed rx permissions for everyone on /home/username
rx permissions still remain for the group on /home/username

So shouldn't www-data be able to access /home/username now? It is in the same group as my user. Or is it not that simple? I've read there's primary and secondary groups but i didn't really get the point there ...

Marius

Posted 2010-08-15T15:19:23.777

Reputation: 123

Answers

You need to chgrp webusers on the files that you want the members of the group to be able to access.

Paused until further notice.

Posted 2010-08-15T15:19:23.777

Reputation: 86 075

I see, but the other question still remains: if i chgrp htdocs, will apache be able to access it if the home directory itself wasn't chgrp'ed? – Marius – 2010-08-15T16:04:31.600

@Marius: if the parent directory has execute rights for Other, it will be able to access (seek) files in that directory. – Paused until further notice. – 2010-08-15T18:09:36.993

If an application needs to access a filesystem entity, a file or directory, it should have (apart from the requested rights on entity itself) eXecute rights on all parent directories. It could, however, have e.g. execute rights provided by group permissions on one directory and by others permissions on another: there are no difference in how application gets its rights.

As the permissions for /home are probably 755 (rwxr-xr-x), there could be two possible problems.

First, you need to be sure Apache really runs as www-data, and second, after you add some user to a group you need to restart all applications already running as that user because Linux doesn't look into /etc/passwd each time it needs to get group list, instead it stores a list of GID's in a kernel structure.

The primary and secondary groups are only valid when applicated to an user. User can belong to any number of groups, but one of these is selected as a primary and is assigned to newly created files; others are used just to control access rights.

whitequark

Posted 2010-08-15T15:19:23.777

Reputation: 14 146

-2

Each file and directory has a set of permissions for the owner, the group and other (everyone else).

Run ls -l to find what these are

To change the permissions, use chmod, to change the owner and group, use chown

The man pages for chown and chmod give tips for recursively applying permissions which makes the task much easier, as well as the syntax to use.

You create a group (webusers in your case) and change the ownership of the files in the /home/user1/www/sitename/htdocs to user1.webusers
Then change permissions of the files to rw-rw---- and directories and cgi's to rwxrwx---
user2 (the new user) will not be able to access the files unless they are part of the webusers group

Brendan

Posted 2010-08-15T15:19:23.777

Reputation: 675

Thanks, but if i change permissions on htdocs only, won't apache be able to access files, because it won't have permissions on /home/user1? Or does that not matter? – Marius – 2010-08-15T15:42:19.660

-1 the group is not the owner's group, it's separate (chgrp). – Hello71 – 2010-08-15T15:58:04.867

So ... now i'm completely confused ... :) – Marius – 2010-08-15T16:02:29.900

Ah that's a good point Marius, I think the hierarchy of directories above htdocs also has to be executable and readable, so probably need to set directories at least to rwxrwxr-x up the hierarchy – Brendan – 2010-08-16T17:30:00.927

chown does the same as chgrp, it is just more general - i.e. it can change the owner if you pass the right flags ... in this case passing user1.webusers will only change the group for files that were created by user1 – Brendan – 2010-08-16T17:33:24.650