Difference between revisions of "Permissions"
(Add example script for fixing perms in drupal sites) |
|||
| (3 intermediate revisions by one other user not shown) | |||
| Line 35: | Line 35: | ||
# find files that are executable and remove the execute bit | # find files that are executable and remove the execute bit | ||
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \; | sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \; | ||
| − | |||
| − | |||
| − | |||
| Line 54: | Line 51: | ||
</source> | </source> | ||
| − | + | Fix permissions on your Drupal site | |
<source lang="bash"> | <source lang="bash"> | ||
DROOT='/var/www/example.com/www/drupal' | DROOT='/var/www/example.com/www/drupal' | ||
| Line 63: | Line 60: | ||
sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \; | sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \; | ||
sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \; | sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \; | ||
| − | for d in "$DROOT/sites/*/files"; do | + | for d in "$DROOT/sites/*/files"; do find $d -type d -exec chmod ug=rwx,o= {} \; ; find $d -type f -exec chmod ug=rw,o= {} \; ; done |
</source> | </source> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== Wheel == | == Wheel == | ||
[[File:Bigwheel.jpg|400px|Are you a big wheel?]] | [[File:Bigwheel.jpg|400px|Are you a big wheel?]] | ||
| Line 81: | Line 72: | ||
The $USER must logout and login again to reload their group memberships. Alternatively, just issue <code>su - $USER</code> or <code>newgrp</code> (with no arguments); or start a new shell which will inherit the new group memberships. | The $USER must logout and login again to reload their group memberships. Alternatively, just issue <code>su - $USER</code> or <code>newgrp</code> (with no arguments); or start a new shell which will inherit the new group memberships. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
{{References}} | {{References}} | ||
[[Category:Filesystems]] | [[Category:Filesystems]] | ||
Revision as of 21:28, 14 June 2017
Contents
Policy[edit | edit source]
Our policy for development will be that all developers will be part of a Unix group named 'developers'. Official repositories will be group-owned by 'developers'
This setup allows git, apache, ssh and your local filesystem to work together.
The group permissions are important rather than file 'owner'. Further, www-data will be a member of the developers group so that sensitive files (settings.php) can be restricted from being edited while permission is granted on structures like files/*
Checking your groups[edit | edit source]
Simply enter the command groups in a terminal window to see what groups you are a member of.
Implementation Details[edit | edit source]
# set groups and memberships
sudo groupadd developers
sudo usermod -a -G developers grundlett
sudo usermod -a -G developers {{apache user}}
# You don't have to logout + login to read new membership into current environment
# You can use newgrp instead
newgrp developers
# set file system mode on source
cd /var/www
sudo chown -R grundlett:developers ./
find ./ -type d -exec sudo chmod u=rwx,g+rwxs,o=rx {} \;
find ./ -type f -exec sudo chmod ug=rw,o=r {} \;
# restart apache so that it gets it's new group membership
sudo apache2ctl restart
Fixing Permissions[edit | edit source]
# find files that are executable and remove the execute bit
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \;
# find files that are not user or group writable and add read / write permissions
sudo find . -type f ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# and directories that are not user or group writable and add read / write permissions
sudo find . -type d ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# find directories that are not executable by user or group
sudo find . -type d ! -perm -ug=x -ls
# find directories without the group sticky bit set
sudo find . -type d ! -perm -g=s -ls
Fix permissions on your Drupal site
DROOT='/var/www/example.com/www/drupal'
USER=greg
WEBGROUP=www-data
sudo chown -R $USER:$WEBGROUP $DROOT/
sudo find $DROOT/ -type d -exec chmod u=rwx,g=rx,o= '{}' \;
sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \;
sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \;
for d in "$DROOT/sites/*/files"; do find $d -type d -exec chmod ug=rwx,o= {} \; ; find $d -type f -exec chmod ug=rw,o= {} \; ; done
Wheel[edit | edit source]
(You'll find wheel [1] in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.)
Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue sudo commands without a password. This is implemented on new machine setups by issuing the visudo command and uncommenting the line for %wheel NOPASSWD. Of course, you'll also need to run usermod -a -G wheel $USER to add the $USER to the wheel group.
In Ubuntu, you would usermod -a -G sudo $USER
The $USER must logout and login again to reload their group memberships. Alternatively, just issue su - $USER or newgrp (with no arguments); or start a new shell which will inherit the new group memberships.
