Permissions: Difference between revisions
sudo now replaces the admin group in ubuntu, aligning it with debian |
m Text replacement - "<(\/?)source" to "<$1syntaxhighlight" |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 11: | Line 11: | ||
=== Implementation Details === | === Implementation Details === | ||
< | <syntaxhighlight lang="bash"> | ||
# set groups and memberships | # set groups and memberships | ||
sudo groupadd developers | sudo groupadd developers | ||
sudo usermod -a -G developers grundlett | sudo usermod -a -G developers grundlett | ||
sudo usermod -a -G developers {{apache user}} | sudo usermod -a -G developers {{apache user}} | ||
# logout + login to read new membership into current environment | # You don't have to logout + login to read new membership into current environment | ||
# You can use newgrp instead | |||
newgrp developers | |||
# set file system mode on source | # set file system mode on source | ||
| Line 26: | Line 28: | ||
# restart apache so that it gets it's new group membership | # restart apache so that it gets it's new group membership | ||
sudo apache2ctl restart | sudo apache2ctl restart | ||
</ | </syntaxhighlight> | ||
== Fixing Permissions == | == Fixing Permissions == | ||
< | <syntaxhighlight lang="bash"> | ||
# find files that are executable and remove the execute bit | # find files that are executable and remove the execute bit | ||
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \; | sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \; | ||
# find files that are not owned by www-data | |||
find ./ -type f ! -user www-data | |||
| Line 47: | Line 52: | ||
# find directories without the group sticky bit set | # find directories without the group sticky bit set | ||
sudo find . -type d ! -perm -g=s -ls | sudo find . -type d ! -perm -g=s -ls | ||
</ | </syntaxhighlight> | ||
=== Fix permissions on your Drupal site === | |||
<syntaxhighlight lang="bash"> | |||
DROOT='/var/www/example.com/www/drupal' | |||
USER=greg | |||
WEBGROUP=www-data | |||
sudo chown -R $USER:$WEBGROUP $DROOT/ | |||
sudo find $DROOT/ -type d -exec chmod u=rwx,g=rx,o= '{}' \; | |||
sudo find $DROOT/ -type f -exec chmod u=rw,g=r,o= '{}' \; | |||
sudo find $DROOT/sites -type d -name files -exec chmod ug=rwx,o= '{}' \; | |||
for d in "$DROOT/sites/*/files"; do sudo find $d -type d -exec chmod ug=rwx,o= {} \; ; find $d -type f -exec chmod ug=rw,o= {} \; ; done | |||
</syntaxhighlight> | |||
The above script is explained at https://www.drupal.org/node/244924 | |||
=== Fixing perms on your gluster mount dir in Meza === | |||
The gluster mount dir contains all the images for MediaWiki. So, perms and ownership are relevant for an Apache web directory. | |||
https://gist.github.com/freephile/f99274dc53deb2daa1440247665aa0e6 | |||
== Wheel == | == Wheel == | ||
[[File:Bigwheel.jpg|400px|Are you a big wheel?]] | [[File:Bigwheel.jpg|400px|Are you a big wheel?]] | ||
(You'll find wheel <ref>http://www.catb.org/jargon/html/</ref> in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called ' | (You'll find wheel <ref>http://www.catb.org/jargon/html/</ref> in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.) | ||
Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue <code>sudo</code> commands without a password. This is implemented on new machine setups by issuing the <code>visudo</code> command and uncommenting the line for <code>%wheel NOPASSWD</code>. Of course, you'll also need to run <code>usermod -a -G wheel $USER</code> to add the $USER to the wheel group. | Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue <code>sudo</code> commands without a password. This is implemented on new machine setups by issuing the <code>visudo</code> command and uncommenting the line for <code>%wheel NOPASSWD</code>. Of course, you'll also need to run <code>usermod -a -G wheel $USER</code> to add the $USER to the wheel group. | ||
| Line 60: | Line 81: | ||
The $USER must logout and login again to reload their group memberships. Alternatively, just issue <code>su - $USER</code> or <code>newgrp</code> (with no arguments); or start a new shell which will inherit the new group memberships. | The $USER must logout and login again to reload their group memberships. Alternatively, just issue <code>su - $USER</code> or <code>newgrp</code> (with no arguments); or start a new shell which will inherit the new group memberships. | ||
== See Also == | |||
The linux command <code>namei</code> is very handy at showing you the directory traversal all the way to your destination to show ownership, permissions etc. Use the <code>-m</code> to show mode or <code>-l</code> to show a long listing | |||
<pre> | |||
namei -l /opt/data-meza/uploads/en/5/59/Geographylogo.png | |||
f: /opt/data-meza/uploads/en/5/59/Geographylogo.png | |||
drwxr-xr-x root root / | |||
drwxr-xr-x root root opt | |||
lrwxrwxrwx root root data-meza -> /mnt/volume_nyc1_01/data/data-meza | |||
drwxr-xr-x root root / | |||
drwxr-xr-x root root mnt | |||
drwxr-xr-x root root volume_nyc1_01 | |||
drwxr-xr-x root root data | |||
drwxr-xr-x meza-ansible wheel data-meza | |||
drwxrwxr-x www-data www-data uploads | |||
drwxrwxr-x www-data www-data en | |||
drwxrwxr-x www-data www-data 5 | |||
drwxrwxr-x www-data www-data 59 | |||
-rw-rw-r-- www-data www-data Geographylogo.png | |||
</pre> | |||
{{References}} | {{References}} | ||
[[Category:Filesystems]] | |||