Solved

LINUX Ownership (CHOWN) & Permissions (CHMOD) question ...

Posted on 2014-07-30
8
863 Views
Last Modified: 2014-08-05
I have a 3rd party application (happens to be OpenCart) that needs Apache to have full access when it's Admin panel is run.
If I change the Ownership of the files to apache:apache (per someone's Docs), everything works fine ... except then my FTP Users cannot login to the site.
What is the correct way to  give the "Apache user" access AND my FTP Users access?
One suggestion earlier was to add the User to the "Apache" group. Maybe I misunderstood ... wouldn't I then need to change all Permissions to 775 and 664 (instead of 755 and 644) to allow Group full access?
I also see a possible solution using a Linux "SetGID" program that allows "CHMOD 2755 ..."   (instead of CHMOD 755 ...).
Can anyone enlighten me?  I am SURE I am missing a tidbit of knowledge here somewhere.
0
Comment
Question by:bleggee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40229520
What application?
The only thing you should need to do is give read/write permissions to a folder
It's inane that you should need to start messing around with users and likely screw everything else up.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 166 total points
ID: 40229580
chown -R apache:ftpusers /path/to/dir
chmod -R 775 /path/to/dir

Make apache own the folder and your ftp user group the group of the folder.  Then you can set permissions for both, like in my example.  Apache would have full RWX (first 7) ftpusers would have the same (second 7) and everyone else would have read and execute (usually needed for a webserver).
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40230418
The 2 is the set-group-ID-on-execution bit

From the chmod man page:

2000    (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 62

Expert Comment

by:gheist
ID: 40230998
02000 is set-file-group-for-new-files of set on directory, and it is settable only by root user.
0
 
LVL 1

Assisted Solution

by:Nicola Mackin
Nicola Mackin earned 167 total points
ID: 40231411
savone suggestion is good, only I would not do a 775 I would go for a 770. In my experience there is no need to have 5 on the last octal.  You can also be much more restrictive by using .htaccess
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 40242169
savone's solution will likely work

adding ftpuser to the apache group as well

using a dedicated user and add both apache and your ftp users to it's group as well

you can also consider ACLs if your fiolesystem supports them (refer to setfacl/getfacl man pages)

but most likely, there is no need for your ftp users to access the same files OpenCart needs. opencart probably only needs write access to it's admin directory, and your ftp users most likely should not even access these for reading
0
 
LVL 62

Expert Comment

by:gheist
ID: 40242285
If ftpuser is added to apache group then it will be able to steal htpasswd files and more.
0
 
LVL 1

Author Comment

by:bleggee
ID: 40242326
Good point on the Security issue GHeist
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question