Grasping a full understanding of setting default Users, Groups and Masks has alluded me over the years, but now I find myself in a situation where manually "setting" the file/directory attributes is becoming a pain. I understand the fundamentals of the file attributes, though from time to time I have to review the "sticky bit"; what I do not understand is where/how the attributes are set when a user creates or modifies a file/directory. Here is my situation: My /var/www/html files have been manually set by me to apache/apache 774. This allows my PHP applications to access the files, and I assume this is a "good" setting. Now, my server is connected via Samba to my desktop. If I create a file, it is todd/todd 744, so Apache cannot access them. If PHP (Apache) creates or modifies a file, it is apache/apache 755, so I cannot access them (Write/Delete). Is there a way to resolve this? When I FTP to a friend's rent-a-server, I can read/write/delete all of the files I have placed there *and* the same for files touched by PHP (Apache). My Linux Admin books as well as my Linux books do not appear to cover this and/or my experience is lacking. Todd -- Ariste Software Petaluma, CA 94952 http://www.aristesoftware.com
On Tue, 21 Jun 2011, Todd Cary wrote:> Grasping a full understanding of setting default Users, Groups > and Masks has alluded me over the years, but now I find myself in > a situation where manually "setting" the file/directory > attributes is becoming a pain. > > I understand the fundamentals of the file attributes, though from > time to time I have to review the "sticky bit"; what I do not > understand is where/how the attributes are set when a user > creates or modifies a file/directory. Here is my situation: > > My /var/www/html files have been manually set by me to > apache/apache 774. This allows my PHP applications to access the > files, and I assume this is a "good" setting. > > Now, my server is connected via Samba to my desktop. If I create > a file, it is todd/todd 744, so Apache cannot access them. > > If PHP (Apache) creates or modifies a file, it is apache/apache > 755, so I cannot access them (Write/Delete). > > Is there a way to resolve this? When I FTP to a friend's > rent-a-server, I can read/write/delete all of the files I have > placed there *and* the same for files touched by PHP (Apache). > > My Linux Admin books as well as my Linux books do not appear to > cover this and/or my experience is lacking.Either have a group that you're both a member of and have a SGID bit set on the relevent directories using that gruop, or look at ACLs. jh
This may not be the best from a security perspective but as you use samba, why not just set it to force the correct user, group and mask setting for that share? My server at home is setup that way and it works just fine. -Drew On 06/21/2011, Todd Cary <todd at aristesoftware.com> wrote:> Grasping a full understanding of setting default Users, Groups > and Masks has alluded me over the years, but now I find myself in > a situation where manually "setting" the file/directory > attributes is becoming a pain. > > I understand the fundamentals of the file attributes, though from > time to time I have to review the "sticky bit"; what I do not > understand is where/how the attributes are set when a user > creates or modifies a file/directory. Here is my situation: > > My /var/www/html files have been manually set by me to > apache/apache 774. This allows my PHP applications to access the > files, and I assume this is a "good" setting. > > Now, my server is connected via Samba to my desktop. If I create > a file, it is todd/todd 744, so Apache cannot access them. > > If PHP (Apache) creates or modifies a file, it is apache/apache > 755, so I cannot access them (Write/Delete). > > Is there a way to resolve this? When I FTP to a friend's > rent-a-server, I can read/write/delete all of the files I have > placed there *and* the same for files touched by PHP (Apache). > > My Linux Admin books as well as my Linux books do not appear to > cover this and/or my experience is lacking. > > Todd > > -- > Ariste Software > Petaluma, CA 94952 > > http://www.aristesoftware.com > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- Sent from my mobile device Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie "This started out as a hobby and spun horribly out of control." -Unknown
On 06/22/2011 01:22 AM, Todd Cary wrote:> Grasping a full understanding of setting default Users, Groups > and Masks has alluded me over the years, but now I find myself in > a situation where manually "setting" the file/directory > attributes is becoming a pain. > > I understand the fundamentals of the file attributes, though from > time to time I have to review the "sticky bit"; what I do not > understand is where/how the attributes are set when a user > creates or modifies a file/directory. Here is my situation: > > My /var/www/html files have been manually set by me to > apache/apache 774. This allows my PHP applications to access the > files, and I assume this is a "good" setting.In your smb.conf file, add the following to the [sharename] section: force user = apache force create mode = 0774 This should ensure that all files you dump in via samba are always owned by apache with the proper permissions. I do this on servers that never see the internet. If this is insecure, please enlighten me as said servers may one day be made visible to the outside world... Ak.
On 2011-06-21 17:22, Todd Cary wrote:> Grasping a full understanding of setting default Users, Groups > and Masks has alluded me over the years, but now I find myself in > a situation where manually "setting" the file/directory > attributes is becoming a pain. > > I understand the fundamentals of the file attributes, though from > time to time I have to review the "sticky bit"; what I do not > understand is where/how the attributes are set when a user > creates or modifies a file/directory. Here is my situation: > > My /var/www/html files have been manually set by me to > apache/apache 774. This allows my PHP applications to access the > files, and I assume this is a "good" setting. > > Now, my server is connected via Samba to my desktop. If I create > a file, it is todd/todd 744, so Apache cannot access them. > > If PHP (Apache) creates or modifies a file, it is apache/apache > 755, so I cannot access them (Write/Delete).I use a combination of settings in Unix and Samba. Add yourself to the apache group. Set the toplevel folder with the SGID bit: chgrp apache /the/toplevel chmod g+swx /the/toplevel This makes sure that each file/folder created in that folder will inherit the group writeable bit. When you have already subfolders there, you need to change each subfolder as well, once, to get the permissions of the whole tree correct. In samba, set up the share with: force create mode = 775 force directory mode = 2775 this makes sure that samba does not remove that group-writable bit again, that was added by the kernel obeying the SGID bit of the parent folder. And then I only have to struggle with some programs, that think they are smarter, and explicitly remove the group writeable settings. -- Paul Bijnens, Xplanation Tel +32 16 397.525 Interleuvenlaan 86, B-3001 Leuven, BELGIUM Fax +32 16 397.552 *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, ~., * * stop, end, ^]c, +++ ATH, disconnect, halt, abort, hangup, KJOB, * * ^X^X, :D::D, kill -9 1, kill -1 $$, shutdown, init 0, Alt-F4, * * Alt-f-e, Ctrl-Alt-Del, Alt-SysRq-reisub, Stop-A, AltGr-NumLock, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***********************************************************************