Open main menu

Policy

Our policy for development will be that all developers will be part of a Unix group named 'developers'. Official repositories will be group-owned by 'developers'

This setup allows git, apache, ssh and your local filesystem to work together.

The group permissions are important rather than file 'owner'. Further, www-data will be a member of the developers group so that sensitive files (settings.php) can be restricted from being edited while permission is granted on structures like files/*

Checking your groups

Simply enter the command groups in a terminal window to see what groups you are a member of.

Implementation Details

# set groups and memberships
sudo groupadd developers
sudo usermod -a -G developers grundlett
sudo usermod -a -G developers {{apache user}}
# logout + login to read new membership into current environment

# set file system mode on source
cd /var/www
sudo chown -R grundlett:developers ./
find ./ -type d -exec sudo chmod u=rwx,g+rwxs,o=rx {} \;
find ./ -type f -exec sudo chmod ug=rw,o=r {} \;

# restart apache so that it gets it's new group membership
sudo apache2ctl restart

Fixing Permissions

# find files that are executable and remove the execute bit
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \;


# find files that are not user or group writable and add read / write permissions
sudo find . -type f ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# and directories that are not user or group writable and add read / write permissions
sudo find . -type d ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;


# find directories that are not executable by user or group
sudo find . -type d ! -perm -ug=x -ls


# find directories without the group sticky bit set
sudo find . -type d ! -perm -g=s -ls


Wheel

Are you a big wheel?

(You'll find wheel [1] in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.)

Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue sudo commands without a password. This is implemented on new machine setups by issuing the visudo command and uncommenting the line for %wheel NOPASSWD. Of course, you'll also need to run usermod -a -G wheel $USER to add the $USER to the wheel group.

In Ubuntu, you would usermod -a -G sudo $USER

The $USER must logout and login again to reload their group memberships. Alternatively, just issue su - $USER or newgrp (with no arguments); or start a new shell which will inherit the new group memberships.

References