RKFcomputers
asked on
Linux File Permissions / Ownership Issue with Links
We are running a web server with CentOS, PHP, Apache, etc.
I have a common set of files and folders for our CMS that I like to keep in one shared location.
ex: /usr/local/share/cms/core
Each user has their own hosting account at /home/username/www and I have been creating a link to the shared files with:
ln -s /usr/local/share/cms/core ./core
The shared files and folders are all owned by root:root and are set to 755.
When I am logged in via SSH as a regular user I can access the shared files location and create the link to the shared files. However, when I browse to www.domainname.com/core I get a 404. If I change the ownership of the link to root:root instead of username:username only then I can access www.domainname.com/core
PHP is set to execute as the user.
The problem is that users can't create the link and then change ownership to root. From time to time we're going to be giving 3rd parties access to specific user accounts, but I don't want to give out root access.
How can I configure this such that a link created by the user will be able to access the files in the shared location?
(Apologies if I've been vague or left out any important details. Ask away and I'll respond asap.)
I have a common set of files and folders for our CMS that I like to keep in one shared location.
ex: /usr/local/share/cms/core
Each user has their own hosting account at /home/username/www and I have been creating a link to the shared files with:
ln -s /usr/local/share/cms/core ./core
The shared files and folders are all owned by root:root and are set to 755.
When I am logged in via SSH as a regular user I can access the shared files location and create the link to the shared files. However, when I browse to www.domainname.com/core I get a 404. If I change the ownership of the link to root:root instead of username:username only then I can access www.domainname.com/core
PHP is set to execute as the user.
The problem is that users can't create the link and then change ownership to root. From time to time we're going to be giving 3rd parties access to specific user accounts, but I don't want to give out root access.
How can I configure this such that a link created by the user will be able to access the files in the shared location?
(Apologies if I've been vague or left out any important details. Ask away and I'll respond asap.)
ASKER
Interesting idea ... I haven't played with the alias feature before. I'll check into it a bit.
ASKER
I'm not sure the alias option will work for what we're trying to do. I want the user to be able to create the link (sometimes it will have to be in a subfolder or subdomain), and sometimes it will have to be moved.
Ex: Developing new site on new.domainname.com, so create the link at /home/username/www/sub/new
Deploy to main site after development by moving to /home/username/www/core
Ex: Developing new site on new.domainname.com, so create the link at /home/username/www/sub/new
Deploy to main site after development by moving to /home/username/www/core
Well, if you are allowing that directive in an .htaccess file, you can always implement it in that fashion.
Testing in a different virtal host? like test.example.com in stead of www.example.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@asmodeous66,
Actually, apache runs as "nobody".
Should I try setting the ownership or group of the shared files to nobody? I think we tried that option at one point, but I can take another swing at it.
Actually, apache runs as "nobody".
Should I try setting the ownership or group of the shared files to nobody? I think we tried that option at one point, but I can take another swing at it.
The problem with the symlinks option is that the owner might not match.
ASKER
@jesper,
You're right - that's the problem. To date, the sites only worked when the symlink was owned by "root", which a regular user can't create/set.
@asmodeus66,
I tried adding "Options +FollowSymLinks -SymLinksIfOwnerMatch" to the .htaccess file in /home/username/www and that worked!
Now, if I've read and understood correctly that can cause a bit of a performance hit, so I tried to be more specific:
<Directory /home/demoshop/www>
Options +FollowSymLinks -SymLinksIfOwnerMatch
</Directory>
Can the <Directory> commands only be used in the main conf file, or is there something wrong with my syntax? I tried a few variations, and just got the usual 500 server error :)
You're right - that's the problem. To date, the sites only worked when the symlink was owned by "root", which a regular user can't create/set.
@asmodeus66,
I tried adding "Options +FollowSymLinks -SymLinksIfOwnerMatch" to the .htaccess file in /home/username/www and that worked!
Now, if I've read and understood correctly that can cause a bit of a performance hit, so I tried to be more specific:
<Directory /home/demoshop/www>
Options +FollowSymLinks -SymLinksIfOwnerMatch
</Directory>
Can the <Directory> commands only be used in the main conf file, or is there something wrong with my syntax? I tried a few variations, and just got the usual 500 server error :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We're testing this in the htaccess on a few sites now, and it appears to be working well.
I'm hesitant to make too many changes to the main httpd.conf file as we use cPanel and it tends to overwrite manual edits. Long term, we'll look into preserving the core conf changes with cPanel.
I'm hesitant to make too many changes to the main httpd.conf file as we use cPanel and it tends to overwrite manual edits. Long term, we'll look into preserving the core conf changes with cPanel.
Alias /core /usr/local/share/cms/core