?
Solved

LINUX Ownership (CHOWN) & Permissions (CHMOD) question ...

Posted on 2014-07-30
8
Medium Priority
?
872 Views
Last Modified: 2014-08-05
I have a 3rd party application (happens to be OpenCart) that needs Apache to have full access when it's Admin panel is run.
If I change the Ownership of the files to apache:apache (per someone's Docs), everything works fine ... except then my FTP Users cannot login to the site.
What is the correct way to  give the "Apache user" access AND my FTP Users access?
One suggestion earlier was to add the User to the "Apache" group. Maybe I misunderstood ... wouldn't I then need to change all Permissions to 775 and 664 (instead of 755 and 644) to allow Group full access?
I also see a possible solution using a Linux "SetGID" program that allows "CHMOD 2755 ..."   (instead of CHMOD 755 ...).
Can anyone enlighten me?  I am SURE I am missing a tidbit of knowledge here somewhere.
0
Comment
Question by:bleggee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40229520
What application?
The only thing you should need to do is give read/write permissions to a folder
It's inane that you should need to start messing around with users and likely screw everything else up.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 664 total points
ID: 40229580
chown -R apache:ftpusers /path/to/dir
chmod -R 775 /path/to/dir

Make apache own the folder and your ftp user group the group of the folder.  Then you can set permissions for both, like in my example.  Apache would have full RWX (first 7) ftpusers would have the same (second 7) and everyone else would have read and execute (usually needed for a webserver).
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40230418
The 2 is the set-group-ID-on-execution bit

From the chmod man page:

2000    (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 62

Expert Comment

by:gheist
ID: 40230998
02000 is set-file-group-for-new-files of set on directory, and it is settable only by root user.
0
 
LVL 1

Assisted Solution

by:Nicola Mackin
Nicola Mackin earned 668 total points
ID: 40231411
savone suggestion is good, only I would not do a 775 I would go for a 770. In my experience there is no need to have 5 on the last octal.  You can also be much more restrictive by using .htaccess
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 668 total points
ID: 40242169
savone's solution will likely work

adding ftpuser to the apache group as well

using a dedicated user and add both apache and your ftp users to it's group as well

you can also consider ACLs if your fiolesystem supports them (refer to setfacl/getfacl man pages)

but most likely, there is no need for your ftp users to access the same files OpenCart needs. opencart probably only needs write access to it's admin directory, and your ftp users most likely should not even access these for reading
0
 
LVL 62

Expert Comment

by:gheist
ID: 40242285
If ftpuser is added to apache group then it will be able to steal htpasswd files and more.
0
 
LVL 1

Author Comment

by:bleggee
ID: 40242326
Good point on the Security issue GHeist
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question