Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2023-04-05 11:10:42

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 557

Ubuntu Linux Permissions

Do any of you have advice on the best practices regarding ownership and permissions for the web root and its contents on an Ubuntu server? I need the web root to be writable by the www-data user and also a Samba user via a network share on a Mac/PC.

I’ve set the ownership of the html directory up with the following:

sudo chown -R www-data:user /var/www/html

I’ve set my Samba share up as follows:

[share_name]
   path = /var/www/html
   available = yes
   valid users = user
   read only = no
   browsable = yes
   public = yes
   writable = yes

Currently I’m setting the permissions for the html directory using:

chmod -R ugo+rw /var/www/html

I suspect this might be a bit too open for production through.

Whenever I experiment with other permissions I keep locking myself out, blocking my web app, or blocking the Samba user from writing to the share. I want to strike a balance between my web app and the Samba user being able to write to the html directory and security. Any advice would be much appreciated.

Offline

#2 2023-04-06 16:28:19

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Ubuntu Linux Permissions

Is the Samba user a member of the user group? I’m assuming yes, but for completeness.

Try this:

sudo chown -R www-data:user /var/www/html
sudo chmod -R 755 /var/www/html

That’s my stock setup for most things and it works just fine. It used octal permissions rather than your approach, but unless your web app is on the exotic end of things (and the rest of your system is pretty well maintained), you should be largely OK.

Offline

#3 2023-04-17 11:28:50

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 557

Re: Ubuntu Linux Permissions

Hi Pete, thank you for your reply and sorry for the delay in getting back to you; I’ve been away for Easter.

This is very useful, thank you for the details. I mostly work with Textpattern and WordPress, I just used the phrase web app for simplicity.

I tried your commands but now I can’t write to the html directory via the Samba share on my Mac. I’m guessing I haven’t correctly added the Samba user to the user group correctly. I did a list of groups using the group command and was shown the following:

  • adm
  • cdrom
  • dip
  • plugdev
  • lxd

Sorry for my lack of knowledge and googling skills, this is all quite new to me.

Offline

#4 2023-04-17 12:03:45

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Ubuntu Linux Permissions

Algaris wrote #335320:

I tried your commands but now I can’t write to the html directory via the Samba share on my Mac. I’m guessing I haven’t correctly added the Samba user to the user group correctly. I did a list of groups using the group command and was shown the following:

  • adm
  • cdrom
  • dip
  • plugdev
  • lxd

OK, so let’s unpack your original post a bit. This line:

sudo chown -R www-data:user /var/www/html

What’s happening here is you’re recursively assigning ownership to the directory (and contents of) /var/www/html to the www-data user and the user group. The next command:

chmod -R ugo+rw /var/www/html

Here you’re recursively assigning access rights (and then some other important things) to the /var/www/html directory according to its ownership:

  • the ugo part is you specifying rights for users groups and others
  • the +rw part is you adding read + write permissions to the directory

So you’re effectively saying everyone / everything (with the others part) has read + write access to the files. This is bad. Some apps just won’t work if they detect these permissions, which is where you might be getting tripped up on your Samba share. There’s also a factor that the execute part (of read, write and execute) is missing, so that might spanner things further.

To translate chmod -R ugo+rw /var/www/html into octal (for uniformity with your other command, if nothing else), you need to know the magic numbers for the permissions:

  • 0 = No permission
  • 1 = execute
  • 2 = write
  • 4 = read

Take the permissions you want for each element of the ownership – user, group, others – and then replace each of ugo with a total of the permissions you want from the list above. For example, for read + execute, that’s 4+1=5…for read, write & execute, that’s 4+2+1=7. Your web server runs as a user (likely www-data by the looks of things) and your Samba server will run as a user (possibly user but see if you can confirm this).

So, we need to set the /var/www/html to be owned by a user and a group – which is what you’re doing with sudo chown -R www-data:user /var/www/html – and we know the web server runs as www-data…so that’s covered. The Samba service runs as…whoever it runs as…and that user should be a member of the user group (if you’re using the same command as you are currently). An alternative to look into: the www-data user is also in a group called www-data…so if you add the Samba user into the www-data group instead of the user group, you could set the ownership like this:

sudo chown -R www-data:www-data /var/www/html

…which has the added benefit of not giving any permissions to the adm, cdrom, dip, plugdev & lxd users (which don’t appear to need access unless I’m missing something).

You can add a user to the www-data group like this:

sudo usermod -a -G www-data username

If you can find the Samba user, add it to the group, then run this to reset the ownership:

sudo chown -R www-data:www-data /var/www/html

Then run this to set your permissions:

sudo chown -R 775 /var/www/html

This gives your web server user & the Samba user full rights, and everyone else read + execute. If Samba is just being a pain in the bum, you could also transfer over SFTP with your own user account, but remember you should add your own account into the :group mentioned in your command, like this:

sudo usermod -a -G www-data algaris

Give that a spin, see how you get on.

Offline

#5 2023-04-18 09:14:31

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 557

Re: Ubuntu Linux Permissions

Thank you so much Pete, this is incredibly helpful. Permissions have always been something of a weak point for me and I always seem to run into issues when modifying them.

I can see where some of my confusion came from now. I assumed that as www-data was a user I also had to add my Samba user (which is called user just to confuse matters) to the end of the command hence sudo chown -R www-data:user /var/www/html. I didn’t realise that www-data was a user as well as a group and the last part of the command was to specify a group.

When I initially set Samba up I added the user account as a Samba user: sudo smbpasswd -a user

Going by your instructions I changed the ownership of the html directory (and subdirectories) to the www-data user and group:

sudo chown -R www-data:www-data /var/www/html

I then added the Samba user to the www-data group:

sudo usermod -a -G www-data user

I then reset the ownership of the html directory (and subdirectories) to the www-data user and group:

sudo chown -R www-data:www-data /var/www/html

I then set the permissions for the directories to 775:

sudo chown -R 775 /var/www/html

I then restarted the Samba service:

sudo smbd restart

After trying this I found that I couldn’t write to the Samba share from my Mac. The website (which is powered by WordPress🤮) also couldn’t write to the server either, displaying an error that it couldn’t create the required directories/files during an update.

—Edit—

I also ran getent group www-data to check the group membership and the following was output:

www-data:x:33:user

Last edited by Algaris (2023-04-19 13:43:52)

Offline

#6 2023-04-19 14:32:03

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 557

Re: Ubuntu Linux Permissions

Okay, everything appears to be working now. Hopefully I’ve done this correctly. I ran the following:

sudo chmod -R 775 /var/www/html

When I went to the /var/www directory and ran ls -l it output the following:

drwxrwxr-x 3 775 www-data 4096 Apr 19 14:42 html

Last edited by Algaris (2023-04-19 14:52:39)

Offline

#7 2023-04-20 14:44:37

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Ubuntu Linux Permissions

Nice one! Sorry for the delay in replying.

Try ls -al for a bit more info – that will include the user and group ownership. For example:

$ ls -al
total 40
drwxrwxr-x  8 www-data www-data 4096 Jan 18 11:39 .
drwxr-xr-x 13 root     root     4096 Jan 18 11:37 ..
drwxrwxr-x  2 www-data www-data 4096 Jan 18 11:39 css
-rwxrwxr-x  1 www-data www-data  889 Jan 18 11:39 css.php
drwxrwxr-x  2 www-data www-data 4096 Jan 18 11:39 files
drwxrwxr-x  2 www-data www-data 4096 Jan 18 11:39 images
-rwxrwxr-x  1 www-data www-data 2342 Jan 18 11:39 index.php
drwxrwxr-x  2 www-data www-data 4096 Jan 18 11:39 js
drwxrwxr-x 11 www-data www-data 4096 Jan 18 11:41 textpattern
drwxrwxr-x  2 www-data www-data 4096 Jan 18 11:39 themes

You can also use alias to set a short command to run a longer command, save you some keystrokes. For example, you can alias la to ls -al. Have a look here for some more details:

askubuntu.com/questions/17536/how-do-i-create-a-permanent-bash-alias

Offline

#8 2023-04-21 08:11:14

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 557

Re: Ubuntu Linux Permissions

Thank you so much Pete. This is incredibly helpful. Every time I discuss Linux with you I learn so much.

I ran ls -al and it output the following:

drwxrwxr-x 3 www-data www-data 4096 Apr 19 14:42 html

Offline

#9 2023-04-24 10:52:04

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Ubuntu Linux Permissions

Algaris wrote #335347:

I ran ls -al and it output the following:

drwxrwxr-x 3 www-data www-data 4096 Apr 19 14:42 html

Perfect. The first www-data is the user ownership, the second www-data is the group ownership. You can drill down into that directory and you’ll see the same ownership for the files & directories inside.

The d at the start indicates a directory. The next 9 characters are three blocks of 3 settings for read, write and execute for the user, group and others. You can use the chmod -R ugo+rw approach fine enough, but you may find the octal stuff better in the long term – whatever works for you, really.

Last edited by gaekwad (2023-04-24 10:52:42)

Offline

Board footer

Powered by FluxBB