Normal Linux User Recursively Write Access To Apache Document Root

I can't believe I wrote a looong message and it logged me out when I tried to submit it.

So anyway, in short lines:

- I have a network of sites where all sites share same "images" folder
- I have created /home/_images/entities and symlinked it from all websites
- It works great with Apache, when I open /images/ on any of the sites I get list of images and can view them

The problem is suPHP which changes process ID of the PHP script to the file owner ID, so when I load site1.com, all scripts are executed as user1 (and files/folders created with those scripts belong to user1:user1). When I load site2.com, all scripts are executed as user2 (and files/folders created with those scripts belong to user2:user2). All these users do NOT belong to the same group, and I wouldn't like to change that as it is cPanel/WHM server so I'm afraid I'll screw something up if I change (primary?) group of all users.

Therefore I need to set it up in such way that all newly created folders and files under /home/_images/entities (owned by root) have read/write permissions for everyone.

Here's the command I used:

Code:

setfacl -Rdm o::rwx /home/_images/entities

To check it:
Code:

root@server1 [~]# getfacl /home/_images/entities/
getfacl: Removing leading '/' from absolute path names
# file: home/_images/entities/
# owner: root
# group: root
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

This looks fine, however when I try upload an image via site1.com it looks like this:

Code:

root@server1 [/home/_images/entities]# ls -l
total 24
drwxrwxrwx+ 5 root    root    4096 Jan 14 06:25 ./
drwxrwxrwx  5 root    root    4096 Jan 12 13:08 ../
drwxrwxr-x+ 3 user1   user1   4096 Jan 14 06:25 1/

And in folder "1" is the image (and thumbs folder):

Code:

root@server1 [/home/_images/entities/1]# ls -l
total 236
drwxrwxr-x+ 3 user1   user1     4096 Jan 14 06:25 ./
drwxrwxrwx+ 5 root    root      4096 Jan 14 06:25 ../
-rw-rw-rw-  1 user1   user1   225569 Jan 14 06:25 689048f221ab7c556f4d482a9d92b2d6.jpg
drwxrwxr-x+ 2 user1   user1   4096 Jan 14 06:25 thumbs/

My questions:

1) Why newly created folders do not have "write" permissions for everyone else [not user and/or group]? If I upload first image from site1.com, then I can't upload other images from any other site, while all sites can display them.

2) What is the + at the end of permissions list? (drwxrwxr-x+)

3) Why newly created files have only "rw" permissions for user, group AND everyone else, and not execute permissions? I don't actually need execute flag set here, but from my command you can see I've set "o::rwx" so it should be there (or not?)

Actually the real problem is #1 - other users can't write to this folder so users can't upload images from other sites nor other sites can create (missing) thumbnails.

I am a bit confused and not sure what to look up to fix this issue. When I log in as user, I cannot edit my /var/www/html files.

I have the ownership of /var/www/html set to apache:apache (using centos 7). When I check groups for user it shows user and apache. That does mean I'm apart of the apache group right, and if the /var/www/html is owned by apache, I should be able to edit?

Directory /media/data/torrents/ has permissions 775, user yzt, group transmission

yzt and debian-transmission are members of the group transmission.

transmission-daemon is run by debian-transmission, and the new files it downloads have permissions 644, owner debian-transmission, group transmission. This is a problem, because I can't later move the files as my user, yzt, and need to be switching to root to change the permissions/ownership to be able to do so.

Using sticky bit I could copy it to anywhere else, but I'm interested on actually moving the file, not just copying it. I could run transmission-daemon as yzt and problem solved, but I rather have that internet facing service running by a limited user, just in case some vulnerability is found on Transmission.

So my question is, how can I set that every new file created under /media/data/torrents/ has permissions 775 like its parent directory?

Hello,

OS: CentOS 6.3

Background:
I'm trying to set up a situation where my FTP account is in a group where my phpbb forums were created. This will allow me to upload changes as I customize my forums (ie: .css files). However, right now, my problem is that I'm running into invalid permissions and the only way to move the files is to upload the file to a directory my FTP account has access too and then sudo cp the file over. Upon closer inspection of my files, it appears the groups the files have been made under are not the correct group.

Problem:
I am trying to use chgrp on a specific file to change the group owner to the group my FTP account is a member of but it does not seem to be working. Here is a snippet of what I'm doing:

Code:

zzz@aaaa:/var/www/html/yyy/forums/styles/GlossyBlack/theme]$ sudo chgrp apache colours.css -v
group of `colours.css' retained as apache
zzz@aaaa:/var/www/html/yyy/forums/styles/GlossyBlack/theme]$ ls
total 164
drwxr-xr-x 3 5645316 apache  4096 Mar 27 15:11 .
drwxr-xr-x 6 5645316 apache  4096 Nov 18  2012 ..
-rw-r--r-- 1  root     apache 23480 Mar 27 19:05 colours.css

I'm not sure why it still says root so I suspect I am doing something incorrect. When looking around, at first it seemed chgrp could change group owner on files but as I dug more, it seemed it can also change groups themselves. So I'm a little confused and require some clarity of experts.

I hope changing the group owner of this file will give access to my FTP account so I can apply this change to all needed locations.

Thanks.

Changing umask value for files and directories take effect after reload:
/etc/profile
/etc/bashrc
default permission for all users:
-rw-r--r--
above permission is edited to:
-rw-rw-r--
If a specific user in group having only read permission to a file/directory is created before reload,and Linux server reloads, that user gets rw permission to that file/directory. what is the alternative of securing:
/etc/profile
/etc/bashrc
apart from giving the two files access to root user only, and locking out all other users?

Hi,
I just upgraded my server from Debian 7 to Debian 8. Everything seemed to go fine. However, Apache doesn't seem to be able to see the web files. If I go to my server's IP, I get an empty directory listing, as if the document root was pointed to an empty directory. However, my apache.conf points to /var/www, and there are indeed files the
Code:

root@maples-server:~# ls -la /var/www/
total 624
drwxr-xr-x  5 www-data www-data   4096 Apr 28 19:35 .
drwxr-xr-x 13 root     root       4096 Mar 28 11:43 ..
lrwxrwxrwx  1 www-data www-data     18 Jan 10 20:47 anthony -> /home/anthony/web/
-rw-------  1 www-data www-data   1455 Apr 23 21:41 .bash_history
-rw-r--r--  1 www-data www-data   3388 Jan 21 19:34 .bashrc
drwxr-xr-x 11 www-data www-data   4096 Apr 23 21:41 chat
lrwxrwxrwx  1 www-data www-data     14 Mar 23 16:20 dad -> /home/dad/web/
drwxr-xr-x  2 root     root       4096 Mar 15 05:52 html
-rw-r--r--  1 www-data www-data    323 Mar 26 18:35 index.htm
drwx------  2 www-data www-data   4096 Jan 21 19:50 Mail
-rw-r--r--  1 anthony  anthony  592795 Apr 23 19:52 phpfreechat-1.7.tar.gz
-rw-r--r--  1 www-data www-data     41 Apr 15 21:52 robots.txt
-rw-------  1 www-data www-data   1541 Apr 23 21:41 .viminfo

Here's my apache.conf (with the comments stripped; there were no "end of line" comments):

Code:

root@maples-server:~# cat /etc/apache2/apache2.conf | grep -v "#"

Mutex file:${APACHE_LOCK_DIR} default

PidFile ${APACHE_PID_FILE}

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5


User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf


<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>


LogFormat "v:p h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent


IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

I also checked sites-enabled/000-default, and everything seems to be fine the
Code:

root@maples-server:~# cat /etc/apache2/sites-enabled/000-default 
<VirtualHost *:80>

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride All
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride All
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Additionally, the connections are no longer showing up in /var/log/apache2/access.log. The last access time in that file is from before the update. I don't know enough about systemd to know if it is responsible for redirecting the logs to somewhere else...

At this point, I have no idea why it's not working. If anyone could point me in the right direction, I would really appreciate it.
Thanks!

EDIT: After looking around some more, it seems that the output of "apachectl -S" is helpful. So here it is:
Code:

root@maples-server:~# apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

It appears that it's looking in a subdirectory html, which was not the case previously (before the upgrade). I've currently got a (ugly but useable) work-around using a symlink:
Code:

root@maples-server:~# cd /var/www/
root@maples-server:/var/www# rm -r html/
root@maples-server:/var/www# ln -s /var/www/
root@maples-server:/var/www# mv www html
root@maples-server:/var/www# ls -l html
lrwxrwxrwx 1 root root 9 Apr 28 22:36 html -> /var/www/

While this does work, I'd like to find the proper way of doing it. Any ideas?

Trying to set up Virtual Host on Ubuntu 14.04.

Any help to solve this is greatly appreciated!!!

Here is info:

Directory: /var/www/mydb.com/public_html (owner set to $USER:$USER)

Permissions: sudo chmod -R 755 /var/www/

Sample Page: /var/www/mydb.com/public_html/index.html (Shows Message)

Virtual Host Files:

Sites Available: mydb.com.conf
set ServerAdmin => admin@mydb.com
set ServerName => mydb.com
set ServerAlias => www.mydb.com
set DocumentRoot => /var/www/mydb.com/public_html

Sites Enabled: mydb.com.conf
ServerName mydb.com
ServerAlias www.mydb.com
ServerAdmin admin@mydb.com
DocumentRoot /var/www/mydb.com/public_html


I: disabled 000-default.conf w/a2dissite
enabled mydb.com.conf w/a2ensite

HOSTS File /etc/hosts:

127.0.1.1 localhost mydb.com
127.0.0.1 localhost
127.0.1.1 rick-Latitude-E6510

Result of localhost/mydb.com Same with www.mydb.com.

404 Not Found.
The requested URL /mydb.com was not found on this server.
Apache/2.4.7 (Ubuntu) Server at localhost Port 80

This from /var/log/apache2/access.log

127.0.0.1 - - [03/Apr/2015:13:19:08 -0700] "GET /mydb.com HTTP/1.1" 404 496 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0"

hi guys,

busy doing a small project with a centos7 server and virtualbox.
currently i have a login to the physical server called sninja

i have three partitions created for each of my virtual machines
sninja owns the directories for each vm...and root is the primary group...now lets say i wanted to have other users perform functions on my vm's ..ssh in,rsync data into the vm etc...

whats the best way to address security and user accounts etc?

what i was thinking:

create a group called Myusers1,then assign the users to that group and then make the group the primary group of the accessed directories etc

is this the right way to go about it? any ideas or help really appreciated...

Hi All,
Hopefully a simple question to answer. I am going to be setting up multiple Apache web servers behind a F5 load balancer and need to share the documentRoot out to all the servers. I have a dedicated SAN which I want to use and I've been searching to find a concrete document that states if its ok to use an iscsi drive or NFS mounted to all web servers but haven't seen anything concrete to say thats the normal or best practice way to setup that environment. My main concern is writing to the file at the same etc.

Can someone advise what they do for multiple web servers?

Thanks

I wanted to delete a couple of files, so I did. Then I noticed that they were "write-protected". What does that mean? Why was I able to delete the files considering I wasn't the owner and the files did not have group write permission?

Code:

[Michael@devserver backup_database]$ ls -l
total 4344
-rw-r--r--. 1 apache apache   50639 Feb  6 05:42 2015_02_06_05_42_01.sql
-rw-r--r--. 1 apache apache  654623 Feb  6 05:45 2015_02_06_05_45_54.sql
-rw-r--r--. 1 apache apache 3738269 Feb  6 05:49 2015_02_06_05_49_02.sql
[Michael@devserver backup_database]$ rm *
rm: remove write-protected regular file `2015_02_06_05_42_01.sql'? y
rm: remove write-protected regular file `2015_02_06_05_45_54.sql'? y
rm: remove write-protected regular file `2015_02_06_05_49_02.sql'? y
[Michael@devserver backup_database]$ ls -l
total 0
[Michael@devserver backup_database]$