Solved

LINUX Ownership (CHOWN) & Permissions (CHMOD) question ...

Posted on 2014-07-30
8
811 Views
Last Modified: 2014-08-05
I have a 3rd party application (happens to be OpenCart) that needs Apache to have full access when it's Admin panel is run.
If I change the Ownership of the files to apache:apache (per someone's Docs), everything works fine ... except then my FTP Users cannot login to the site.
What is the correct way to  give the "Apache user" access AND my FTP Users access?
One suggestion earlier was to add the User to the "Apache" group. Maybe I misunderstood ... wouldn't I then need to change all Permissions to 775 and 664 (instead of 755 and 644) to allow Group full access?
I also see a possible solution using a Linux "SetGID" program that allows "CHMOD 2755 ..."   (instead of CHMOD 755 ...).
Can anyone enlighten me?  I am SURE I am missing a tidbit of knowledge here somewhere.
0
Comment
Question by:bleggee
8 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40229520
What application?
The only thing you should need to do is give read/write permissions to a folder
It's inane that you should need to start messing around with users and likely screw everything else up.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 166 total points
ID: 40229580
chown -R apache:ftpusers /path/to/dir
chmod -R 775 /path/to/dir

Make apache own the folder and your ftp user group the group of the folder.  Then you can set permissions for both, like in my example.  Apache would have full RWX (first 7) ftpusers would have the same (second 7) and everyone else would have read and execute (usually needed for a webserver).
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40230418
The 2 is the set-group-ID-on-execution bit

From the chmod man page:

2000    (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40230998
02000 is set-file-group-for-new-files of set on directory, and it is settable only by root user.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Assisted Solution

by:Nicola Mackin
Nicola Mackin earned 167 total points
ID: 40231411
savone suggestion is good, only I would not do a 775 I would go for a 770. In my experience there is no need to have 5 on the last octal.  You can also be much more restrictive by using .htaccess
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 40242169
savone's solution will likely work

adding ftpuser to the apache group as well

using a dedicated user and add both apache and your ftp users to it's group as well

you can also consider ACLs if your fiolesystem supports them (refer to setfacl/getfacl man pages)

but most likely, there is no need for your ftp users to access the same files OpenCart needs. opencart probably only needs write access to it's admin directory, and your ftp users most likely should not even access these for reading
0
 
LVL 61

Expert Comment

by:gheist
ID: 40242285
If ftpuser is added to apache group then it will be able to steal htpasswd files and more.
0
 
LVL 1

Author Comment

by:bleggee
ID: 40242326
Good point on the Security issue GHeist
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now