Permissions

From Freephile Wiki

Policy

Our policy for development will be that all developers will be part of a Unix group named 'developers'. Official repositories will be group-owned by 'developers'

This setup allows git, apache, ssh and your local filesystem to work together.

The group permissions are important rather than file 'owner'. Further, www-data will be a member of the developers group so that sensitive files (settings.php) can be restricted from being edited while permission is granted on structures like files/*

Checking your groups

Simply enter the command groups in a terminal window to see what groups you are a member of.

Implementation Details

# set groups and memberships
sudo groupadd developers
sudo usermod -a -G developers grundlett
sudo usermod -a -G developers {{apache user}}
# You don't have to logout + login to read new membership into current environment
# You can use newgrp instead
newgrp developers

# set file system mode on source
cd /var/www
sudo chown -R grundlett:developers ./
find ./ -type d -exec sudo chmod u=rwx,g+rwxs,o=rx {} \;
find ./ -type f -exec sudo chmod ug=rw,o=r {} \;

# restart apache so that it gets it's new group membership
sudo apache2ctl restart

Fixing Permissions

# find files that are executable and remove the execute bit
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \;

# find files that are not owned by www-data
find ./ -type f ! -user www-data


# find files that are not user or group writable and add read / write permissions
sudo find . -type f ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# and directories that are not user or group writable and add read / write permissions
sudo find . -type d ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;


# find directories that are not executable by user or group
sudo find . -type d ! -perm -ug=x -ls


# find directories without the group sticky bit set
sudo find . -type d ! -perm -g=s -ls

Fix permissions on your Drupal site

DROOT='/var/www/example.com/www/drupal'
USER=greg
WEBGROUP=www-data
sudo chown -R $USER:$WEBGROUP $DROOT/
sudo find $DROOT/ -type d -exec chmod u=rwx,g=rx,o= '{}' \;
sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \;
sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \;
for d in "$DROOT/sites/*/files"; do sudo find $d -type d -exec chmod ug=rwx,o= {} \; ; find $d -type f -exec chmod ug=rw,o= {} \; ; done

The above script is explained at https://www.drupal.org/node/244924

Fixing perms on your gluster mount dir in Meza

The gluster mount dir contains all the images for MediaWiki. So, perms and ownership are relevant for an Apache web directory. https://gist.github.com/freephile/f99274dc53deb2daa1440247665aa0e6

Wheel

Are you a big wheel?

(You'll find wheel [1] in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.)

Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue sudo commands without a password. This is implemented on new machine setups by issuing the visudo command and uncommenting the line for %wheel NOPASSWD. Of course, you'll also need to run usermod -a -G wheel $USER to add the $USER to the wheel group.

In Ubuntu, you would usermod -a -G sudo $USER

The $USER must logout and login again to reload their group memberships. Alternatively, just issue su - $USER or newgrp (with no arguments); or start a new shell which will inherit the new group memberships.

See Also

The linux command namei is very handy at showing you the directory traversal all the way to your destination to show ownership, permissions etc. Use the -m to show mode or -l to show a long listing

namei -l /opt/data-meza/uploads/en/5/59/Geographylogo.png               
f: /opt/data-meza/uploads/en/5/59/Geographylogo.png
drwxr-xr-x root         root     /
drwxr-xr-x root         root     opt
lrwxrwxrwx root         root     data-meza -> /mnt/volume_nyc1_01/data/data-meza
drwxr-xr-x root         root       /
drwxr-xr-x root         root       mnt
drwxr-xr-x root         root       volume_nyc1_01
drwxr-xr-x root         root       data
drwxr-xr-x meza-ansible wheel      data-meza
drwxrwxr-x www-data     www-data uploads
drwxrwxr-x www-data     www-data en
drwxrwxr-x www-data     www-data 5
drwxrwxr-x www-data     www-data 59
-rw-rw-r-- www-data     www-data Geographylogo.png



References