Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2023-04-05 11:10:42
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 565
Ubuntu Linux Permissions
Do any of you have advice on the best practices regarding ownership and permissions for the web root and its contents on an Ubuntu server? I need the web root to be writable by the www-data user and also a Samba user via a network share on a Mac/PC.
I’ve set the ownership of the html directory up with the following:
sudo chown -R www-data:user /var/www/html
I’ve set my Samba share up as follows:
[share_name]
path = /var/www/html
available = yes
valid users = user
read only = no
browsable = yes
public = yes
writable = yes
Currently I’m setting the permissions for the html directory using:
chmod -R ugo+rw /var/www/html
I suspect this might be a bit too open for production through.
Whenever I experiment with other permissions I keep locking myself out, blocking my web app, or blocking the Samba user from writing to the share. I want to strike a balance between my web app and the Samba user being able to write to the html directory and security. Any advice would be much appreciated.
Offline
Re: Ubuntu Linux Permissions
Is the Samba user a member of the user
group? I’m assuming yes, but for completeness.
Try this:
sudo chown -R www-data:user /var/www/html
sudo chmod -R 755 /var/www/html
That’s my stock setup for most things and it works just fine. It used octal permissions rather than your approach, but unless your web app is on the exotic end of things (and the rest of your system is pretty well maintained), you should be largely OK.
Offline
#3 2023-04-17 11:28:50
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 565
Re: Ubuntu Linux Permissions
Hi Pete, thank you for your reply and sorry for the delay in getting back to you; I’ve been away for Easter.
This is very useful, thank you for the details. I mostly work with Textpattern and WordPress, I just used the phrase web app for simplicity.
I tried your commands but now I can’t write to the html directory via the Samba share on my Mac. I’m guessing I haven’t correctly added the Samba user
to the user
group correctly. I did a list of groups using the group
command and was shown the following:
- adm
- cdrom
- dip
- plugdev
- lxd
Sorry for my lack of knowledge and googling skills, this is all quite new to me.
Offline
Re: Ubuntu Linux Permissions
Algaris wrote #335320:
I tried your commands but now I can’t write to the html directory via the Samba share on my Mac. I’m guessing I haven’t correctly added the Samba
user
to theuser
group correctly. I did a list of groups using thegroup
command and was shown the following:
- adm
- cdrom
- dip
- plugdev
- lxd
OK, so let’s unpack your original post a bit. This line:
sudo chown -R www-data:user /var/www/html
What’s happening here is you’re recursively assigning ownership to the directory (and contents of) /var/www/html
to the www-data
user and the user
group. The next command:
chmod -R ugo+rw /var/www/html
Here you’re recursively assigning access rights (and then some other important things) to the /var/www/html
directory according to its ownership:
- the
ugo
part is you specifying rights foru
sersg
roups ando
thers - the
+rw
part is you addingr
ead +w
rite permissions to the directory
So you’re effectively saying everyone / everything (with the o
thers part) has read + write access to the files. This is bad. Some apps just won’t work if they detect these permissions, which is where you might be getting tripped up on your Samba share. There’s also a factor that the execute part (of read, write and execute) is missing, so that might spanner things further.
To translate chmod -R ugo+rw /var/www/html
into octal (for uniformity with your other command, if nothing else), you need to know the magic numbers for the permissions:
- 0 = No permission
- 1 = execute
- 2 = write
- 4 = read
Take the permissions you want for each element of the ownership – user, group, others – and then replace each of ugo
with a total of the permissions you want from the list above. For example, for read + execute, that’s 4+1=5
…for read, write & execute, that’s 4+2+1=7
. Your web server runs as a user (likely www-data
by the looks of things) and your Samba server will run as a user (possibly user
but see if you can confirm this).
So, we need to set the /var/www/html
to be owned by a user and a group – which is what you’re doing with sudo chown -R www-data:user /var/www/html
– and we know the web server runs as www-data
…so that’s covered. The Samba service runs as…whoever it runs as…and that user should be a member of the user
group (if you’re using the same command as you are currently). An alternative to look into: the www-data
user is also in a group called www-data
…so if you add the Samba user into the www-data
group instead of the user
group, you could set the ownership like this:
sudo chown -R www-data:www-data /var/www/html
…which has the added benefit of not giving any permissions to the adm
, cdrom
, dip
, plugdev
& lxd
users (which don’t appear to need access unless I’m missing something).
You can add a user to the www-data
group like this:
sudo usermod -a -G www-data username
If you can find the Samba user, add it to the group, then run this to reset the ownership:
sudo chown -R www-data:www-data /var/www/html
Then run this to set your permissions:
sudo chown -R 775 /var/www/html
This gives your web server user & the Samba user full rights, and everyone else read + execute. If Samba is just being a pain in the bum, you could also transfer over SFTP with your own user account, but remember you should add your own account into the :group
mentioned in your command, like this:
sudo usermod -a -G www-data algaris
Give that a spin, see how you get on.
Offline
#5 2023-04-18 09:14:31
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 565
Re: Ubuntu Linux Permissions
Thank you so much Pete, this is incredibly helpful. Permissions have always been something of a weak point for me and I always seem to run into issues when modifying them.
I can see where some of my confusion came from now. I assumed that as www-data
was a user I also had to add my Samba user (which is called user
just to confuse matters) to the end of the command hence sudo chown -R www-data:user /var/www/html
. I didn’t realise that www-data
was a user as well as a group and the last part of the command was to specify a group.
When I initially set Samba up I added the user
account as a Samba user: sudo smbpasswd -a user
Going by your instructions I changed the ownership of the html directory (and subdirectories) to the www-data
user and group:
sudo chown -R www-data:www-data /var/www/html
I then added the Samba user to the www-data
group:
sudo usermod -a -G www-data user
I then reset the ownership of the html directory (and subdirectories) to the www-data
user and group:
sudo chown -R www-data:www-data /var/www/html
I then set the permissions for the directories to 775:
sudo chown -R 775 /var/www/html
I then restarted the Samba service:
sudo smbd restart
After trying this I found that I couldn’t write to the Samba share from my Mac. The website (which is powered by WordPress🤮) also couldn’t write to the server either, displaying an error that it couldn’t create the required directories/files during an update.
—Edit—
I also ran getent group www-data
to check the group membership and the following was output:
www-data:x:33:user
Last edited by Algaris (2023-04-19 13:43:52)
Offline
#6 2023-04-19 14:32:03
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 565
Re: Ubuntu Linux Permissions
Okay, everything appears to be working now. Hopefully I’ve done this correctly. I ran the following:
sudo chmod -R 775 /var/www/html
When I went to the /var/www
directory and ran ls -l
it output the following:
drwxrwxr-x 3 775 www-data 4096 Apr 19 14:42 html
Last edited by Algaris (2023-04-19 14:52:39)
Offline
Re: Ubuntu Linux Permissions
Nice one! Sorry for the delay in replying.
Try ls -al
for a bit more info – that will include the user and group ownership. For example:
$ ls -al
total 40
drwxrwxr-x 8 www-data www-data 4096 Jan 18 11:39 .
drwxr-xr-x 13 root root 4096 Jan 18 11:37 ..
drwxrwxr-x 2 www-data www-data 4096 Jan 18 11:39 css
-rwxrwxr-x 1 www-data www-data 889 Jan 18 11:39 css.php
drwxrwxr-x 2 www-data www-data 4096 Jan 18 11:39 files
drwxrwxr-x 2 www-data www-data 4096 Jan 18 11:39 images
-rwxrwxr-x 1 www-data www-data 2342 Jan 18 11:39 index.php
drwxrwxr-x 2 www-data www-data 4096 Jan 18 11:39 js
drwxrwxr-x 11 www-data www-data 4096 Jan 18 11:41 textpattern
drwxrwxr-x 2 www-data www-data 4096 Jan 18 11:39 themes
You can also use alias
to set a short command to run a longer command, save you some keystrokes. For example, you can alias la
to ls -al
. Have a look here for some more details:
askubuntu.com/questions/17536/how-do-i-create-a-permanent-bash-alias
Offline
#8 2023-04-21 08:11:14
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 565
Re: Ubuntu Linux Permissions
Thank you so much Pete. This is incredibly helpful. Every time I discuss Linux with you I learn so much.
I ran ls -al
and it output the following:
drwxrwxr-x 3 www-data www-data 4096 Apr 19 14:42 html
Offline
Re: Ubuntu Linux Permissions
Algaris wrote #335347:
I ran
ls -al
and it output the following:
drwxrwxr-x 3 www-data www-data 4096 Apr 19 14:42 html
Perfect. The first www-data
is the user ownership, the second www-data
is the group ownership. You can drill down into that directory and you’ll see the same ownership for the files & directories inside.
The d
at the start indicates a directory. The next 9 characters are three blocks of 3 settings for read, write and execute for the u
ser, g
roup and o
thers. You can use the chmod -R ugo+rw
approach fine enough, but you may find the octal stuff better in the long term – whatever works for you, really.
Last edited by gaekwad (2023-04-24 10:52:42)
Offline
Pages: 1