Permissions
Policy
Our policy for development will be that all developers will be part of a Unix group named 'developers'. Official repositories will be group-owned by 'developers'
This setup allows git, apache, ssh and your local filesystem to work together.
The group permissions are important rather than file 'owner'. Further, www-data will be a member of the developers group so that sensitive files (settings.php) can be restricted from being edited while permission is granted on structures like files/*
Checking your groups
Simply enter the command groups
in a terminal window to see what groups you are a member of.
Implementation Details
# set groups and memberships
sudo groupadd developers
sudo usermod -a -G developers grundlett
sudo usermod -a -G developers {{apache user}}
# You don't have to logout + login to read new membership into current environment
# You can use newgrp instead
newgrp developers
# set file system mode on source
cd /var/www
sudo chown -R grundlett:developers ./
find ./ -type d -exec sudo chmod u=rwx,g+rwxs,o=rx {} \;
find ./ -type f -exec sudo chmod ug=rw,o=r {} \;
# restart apache so that it gets it's new group membership
sudo apache2ctl restart
Fixing Permissions
# find files that are executable and remove the execute bit
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \;
# find files that are not owned by www-data
find ./ -type f ! -user www-data
# find files that are not user or group writable and add read / write permissions
sudo find . -type f ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# and directories that are not user or group writable and add read / write permissions
sudo find . -type d ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# find directories that are not executable by user or group
sudo find . -type d ! -perm -ug=x -ls
# find directories without the group sticky bit set
sudo find . -type d ! -perm -g=s -ls
Fix permissions on your Drupal site
DROOT='/var/www/example.com/www/drupal'
USER=greg
WEBGROUP=www-data
sudo chown -R $USER:$WEBGROUP $DROOT/
sudo find $DROOT/ -type d -exec chmod u=rwx,g=rx,o= '{}' \;
sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \;
sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \;
for d in "$DROOT/sites/*/files"; do sudo find $d -type d -exec chmod ug=rwx,o= {} \; ; find $d -type f -exec chmod ug=rw,o= {} \; ; done
The above script is explained at https://www.drupal.org/node/244924
Fixing perms on your gluster mount dir in Meza
The gluster mount dir contains all the images for MediaWiki. So, perms and ownership are relevant for an Apache web directory. https://gist.github.com/freephile/f99274dc53deb2daa1440247665aa0e6
Wheel
(You'll find wheel [1] in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.)
Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue sudo
commands without a password. This is implemented on new machine setups by issuing the visudo
command and uncommenting the line for %wheel NOPASSWD
. Of course, you'll also need to run usermod -a -G wheel $USER
to add the $USER to the wheel group.
In Ubuntu, you would usermod -a -G sudo $USER
The $USER must logout and login again to reload their group memberships. Alternatively, just issue su - $USER
or newgrp
(with no arguments); or start a new shell which will inherit the new group memberships.
See Also
The linux command namei
is very handy at showing you the directory traversal all the way to your destination to show ownership, permissions etc. Use the -m
to show mode or -l
to show a long listing
namei -l /opt/data-meza/uploads/en/5/59/Geographylogo.png f: /opt/data-meza/uploads/en/5/59/Geographylogo.png drwxr-xr-x root root / drwxr-xr-x root root opt lrwxrwxrwx root root data-meza -> /mnt/volume_nyc1_01/data/data-meza drwxr-xr-x root root / drwxr-xr-x root root mnt drwxr-xr-x root root volume_nyc1_01 drwxr-xr-x root root data drwxr-xr-x meza-ansible wheel data-meza drwxrwxr-x www-data www-data uploads drwxrwxr-x www-data www-data en drwxrwxr-x www-data www-data 5 drwxrwxr-x www-data www-data 59 -rw-rw-r-- www-data www-data Geographylogo.png