How to correctly set acl for www-data files?
I have web files stored on my server. Currently only the root has a full access:
drwxr-xr-x 6 root www-data directory
-rw-r--r-- 1 root www-data file.php
The problem is that the developers wants to use their own account su - myuser
to access and modify these files.
Unfortunately, the only solution I have found is to add these users to www-data
group and make the php files writable by www-data
which is ugly.
What alternative do I have?
linux file-permissions
add a comment |
I have web files stored on my server. Currently only the root has a full access:
drwxr-xr-x 6 root www-data directory
-rw-r--r-- 1 root www-data file.php
The problem is that the developers wants to use their own account su - myuser
to access and modify these files.
Unfortunately, the only solution I have found is to add these users to www-data
group and make the php files writable by www-data
which is ugly.
What alternative do I have?
linux file-permissions
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34
add a comment |
I have web files stored on my server. Currently only the root has a full access:
drwxr-xr-x 6 root www-data directory
-rw-r--r-- 1 root www-data file.php
The problem is that the developers wants to use their own account su - myuser
to access and modify these files.
Unfortunately, the only solution I have found is to add these users to www-data
group and make the php files writable by www-data
which is ugly.
What alternative do I have?
linux file-permissions
I have web files stored on my server. Currently only the root has a full access:
drwxr-xr-x 6 root www-data directory
-rw-r--r-- 1 root www-data file.php
The problem is that the developers wants to use their own account su - myuser
to access and modify these files.
Unfortunately, the only solution I have found is to add these users to www-data
group and make the php files writable by www-data
which is ugly.
What alternative do I have?
linux file-permissions
linux file-permissions
asked Jun 27 at 8:12
nowox
77111528
77111528
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34
add a comment |
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34
add a comment |
2 Answers
2
active
oldest
votes
If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.
For example, the following command will give read and write permissions to the myuser
user on file
: setfacl -m user:myuser:rw file
setfacl
may need to be installed, depending on your distribution.
add a comment |
I believe you need to use X and not x for the executable.
Step 1: Create Backup
First make a backup incase anything goes wrong someday:
mkdir ~/storage-changes
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl
(Incase) To Restore
sudo setfacl --restore=~/storage-changes/default_www_facl
Apply ACL
Next, apply to a group:
# -R is recursive
# -m is modify
# -d applies to default ACL
sudo chgrp -R www-data /var/www
sudo setfacl -Rd g:www-data:rwX /var/www
sudo setfacl -Rdm g:www-data:rwX /var/www
ls -lta /var
sudo getfacl /var/www
The +
at the end of the file/dir listing only means it has additional ACLs.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.
For example, the following command will give read and write permissions to the myuser
user on file
: setfacl -m user:myuser:rw file
setfacl
may need to be installed, depending on your distribution.
add a comment |
If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.
For example, the following command will give read and write permissions to the myuser
user on file
: setfacl -m user:myuser:rw file
setfacl
may need to be installed, depending on your distribution.
add a comment |
If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.
For example, the following command will give read and write permissions to the myuser
user on file
: setfacl -m user:myuser:rw file
setfacl
may need to be installed, depending on your distribution.
If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.
For example, the following command will give read and write permissions to the myuser
user on file
: setfacl -m user:myuser:rw file
setfacl
may need to be installed, depending on your distribution.
answered Jun 27 at 14:55
user2313067
2,0251911
2,0251911
add a comment |
add a comment |
I believe you need to use X and not x for the executable.
Step 1: Create Backup
First make a backup incase anything goes wrong someday:
mkdir ~/storage-changes
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl
(Incase) To Restore
sudo setfacl --restore=~/storage-changes/default_www_facl
Apply ACL
Next, apply to a group:
# -R is recursive
# -m is modify
# -d applies to default ACL
sudo chgrp -R www-data /var/www
sudo setfacl -Rd g:www-data:rwX /var/www
sudo setfacl -Rdm g:www-data:rwX /var/www
ls -lta /var
sudo getfacl /var/www
The +
at the end of the file/dir listing only means it has additional ACLs.
add a comment |
I believe you need to use X and not x for the executable.
Step 1: Create Backup
First make a backup incase anything goes wrong someday:
mkdir ~/storage-changes
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl
(Incase) To Restore
sudo setfacl --restore=~/storage-changes/default_www_facl
Apply ACL
Next, apply to a group:
# -R is recursive
# -m is modify
# -d applies to default ACL
sudo chgrp -R www-data /var/www
sudo setfacl -Rd g:www-data:rwX /var/www
sudo setfacl -Rdm g:www-data:rwX /var/www
ls -lta /var
sudo getfacl /var/www
The +
at the end of the file/dir listing only means it has additional ACLs.
add a comment |
I believe you need to use X and not x for the executable.
Step 1: Create Backup
First make a backup incase anything goes wrong someday:
mkdir ~/storage-changes
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl
(Incase) To Restore
sudo setfacl --restore=~/storage-changes/default_www_facl
Apply ACL
Next, apply to a group:
# -R is recursive
# -m is modify
# -d applies to default ACL
sudo chgrp -R www-data /var/www
sudo setfacl -Rd g:www-data:rwX /var/www
sudo setfacl -Rdm g:www-data:rwX /var/www
ls -lta /var
sudo getfacl /var/www
The +
at the end of the file/dir listing only means it has additional ACLs.
I believe you need to use X and not x for the executable.
Step 1: Create Backup
First make a backup incase anything goes wrong someday:
mkdir ~/storage-changes
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl
(Incase) To Restore
sudo setfacl --restore=~/storage-changes/default_www_facl
Apply ACL
Next, apply to a group:
# -R is recursive
# -m is modify
# -d applies to default ACL
sudo chgrp -R www-data /var/www
sudo setfacl -Rd g:www-data:rwX /var/www
sudo setfacl -Rdm g:www-data:rwX /var/www
ls -lta /var
sudo getfacl /var/www
The +
at the end of the file/dir listing only means it has additional ACLs.
answered Dec 12 at 16:12
JREAM
164111
164111
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill♦
Jun 27 at 8:47
This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 at 8:48
The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 at 11:34