Difference between revisions of "Permissions"
(add reference to newgrp command) |
|||
| Line 16: | Line 16: | ||
sudo usermod -a -G developers grundlett | sudo usermod -a -G developers grundlett | ||
sudo usermod -a -G developers {{apache user}} | sudo usermod -a -G developers {{apache user}} | ||
| − | # logout + login to read new membership into current environment | + | # You don't have to logout + login to read new membership into current environment |
| + | # You can use newgrp instead | ||
| + | newgrp developers | ||
# set file system mode on source | # set file system mode on source | ||
Revision as of 15:27, 17 May 2017
Contents
Policy[edit | edit source]
Our policy for development will be that all developers will be part of a Unix group named 'developers'. Official repositories will be group-owned by 'developers'
This setup allows git, apache, ssh and your local filesystem to work together.
The group permissions are important rather than file 'owner'. Further, www-data will be a member of the developers group so that sensitive files (settings.php) can be restricted from being edited while permission is granted on structures like files/*
Checking your groups[edit | edit source]
Simply enter the command groups in a terminal window to see what groups you are a member of.
Implementation Details[edit | edit source]
# set groups and memberships
sudo groupadd developers
sudo usermod -a -G developers grundlett
sudo usermod -a -G developers {{apache user}}
# You don't have to logout + login to read new membership into current environment
# You can use newgrp instead
newgrp developers
# set file system mode on source
cd /var/www
sudo chown -R grundlett:developers ./
find ./ -type d -exec sudo chmod u=rwx,g+rwxs,o=rx {} \;
find ./ -type f -exec sudo chmod ug=rw,o=r {} \;
# restart apache so that it gets it's new group membership
sudo apache2ctl restart
Fixing Permissions[edit | edit source]
# find files that are executable and remove the execute bit
sudo find . -type f -perm -ugo=x -ls -exec chmod a-x {} \;
# find files that are not user or group writable and add read / write permissions
sudo find . -type f ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# and directories that are not user or group writable and add read / write permissions
sudo find . -type d ! -perm -ug=w -ls -exec sudo chmod ug+rw {} \;
# find directories that are not executable by user or group
sudo find . -type d ! -perm -ug=x -ls
# find directories without the group sticky bit set
sudo find . -type d ! -perm -g=s -ls
Wheel[edit | edit source]
(You'll find wheel [1] in RedHat, FreeBSD and other Unixes. In Ubuntu, the admin group is called 'sudo', and anyone can use the sudo service.)
Administrative users will have the permission to execute 'super user do' (sudo) commands. This privilege is granted by adding the user to the 'wheel' group. By granting privileges, it's easier to use system accounting to see who is doing what. Much better than handing out the root password to multiple persons. If you're in the wheel group, then you can issue sudo commands without a password. This is implemented on new machine setups by issuing the visudo command and uncommenting the line for %wheel NOPASSWD. Of course, you'll also need to run usermod -a -G wheel $USER to add the $USER to the wheel group.
In Ubuntu, you would usermod -a -G sudo $USER
The $USER must logout and login again to reload their group memberships. Alternatively, just issue su - $USER or newgrp (with no arguments); or start a new shell which will inherit the new group memberships.
