My goal is to prevent modify/read permission of other users except the owner. On ubuntu forums as solutions both approach is given.
sudo useradd -d /home/newuser -m newuser
chmod 700 /home/newuser # or # chmod go-rwx /home/newuser
[Q] Is there any difference between chmod go-rwx and chmod 700 or both accomplish the same thing? If there is a difference which one is recommended?
go-rwx removes read, write, execute permissions from the group and other users. It will not change permissions for the user that owns the file.
Therefore e.g. a file with 644 (rw-r--r--) permissions will have 600 (rw------) after the command.
chmod 700 on the other hand will always change the permissions to 700 (rwx------), no matter the previous permissions.
So it depends on what you want to accomplish.
Notes:
Especially when using -R to change entire directories, this makes go-rwx more useful, as the executable flag is usually only wanted on folders (so they can be entered) and program files that need to be executed.
Using 700 would add the executable flag to all files that don't have it yet, which is usually not what you'd want to do.
What the general effect of chmod 700 would actually look like in the other notation is chmod u+rwx,go-rwx or chmod u=rwx,go= (grants all permissions to user that owns file, removes all permissions of group and other)
Not all versions of chmod support the ugo±rwx syntax scheme.
There could be a difference:
chmod 700 lets the owner read , write and execute, and gives no permissions for Group and Other.
chmod go-rwx removes read/write/execute permissions from group and others, but preserves whatever permissions the owner had.
So, for example, if the owner didn't have execute permission on the file, to begin with, and only had read and write, the result could be different. With chmod 700, the owner would also get execute permission, which he would not with chmod go-rwx.
Related
I've just started to learn Linux Command Line. The setup I am on is AWS Lightsail bitnami Wordpress. I work with wordpress primarily.
I'm still confused about file permissions in Linux. Why do I have permissions denied when I sign in as the owner?
Whenever I have to ftp, overwrite, edit files and folders, I have to change the permissions settings for each affected folders and files manually via SSH.
More often than not, at the end of the day, I lost track of which folders and files' permissions I have edited and need to reset to default. I find this a chore and I believe there is a better way.
I wonder if there are lines of command that can
give me full access to all directories, folders, subfolders and files at once?
change the permissions for directories, folders, subfolders and files at once?
reset the permissions of all edited files to default/original all at once?
To check the permission of the file
sudo stat TARGETFOLDER
To change the permission of the file
sudo chmod 777 TARGETFOLDER
Bitnami Engineer here,
We configure the permissions of the WordPress' files by setting bitnami as the user owner and daemon as group owner of the files. This configuration allows you edit the files using the bitnami user and the webserver can use the daemon group to do the same. However, if you make changes to the application using the web interface (install plugins or themes), those new files are owned by daemon:daemon (the Apache and PHP-FPM services use that user and group so they generate the files using those permissions configuration) and you won't be able to edit them unless you use the command line and sudo. In that case, you can run the following commands to be able to edit those files using the bitnami user
sudo chown -R /opt/bitnami/apps/wordpress/htdocs
sudo find /opt/bitnami/apps/wordpress/htdocs -type d -exec chmod 775 {} \;
sudo find /opt/bitnami/apps/wordpress/htdocs -type f -exec chmod 664 {} \;
sudo chmod 640 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
You can learn more about this here
https://www.youtube.com/watch?list=PLGgVZHi3XQNn4x0DU7Qj1r_inej3xEUda&v=nKfle7O0vN8&feature=emb_title
1 and 2, you can try chmod -R option.
3. i think it can not. you should restore it. maybe it help.
In my centos server (amazon ami) with nginx installed i would to guarantee full access 777 (read write execute) at a specific folder only for user in a specific group and deny any type of access to all others.
Well, first i create the folder:
sudo mkdir var/www
then i create group:
sudo groupadd lavagrp
add specific user to the group:
sudo usermod -a -G lavagrp ec2-user
sudo usermod -a -G lavagrp nginx
then i add group permission to folder in this maneer:
sudo chgrp lavagrp: 777 var/www
but system respond:
"group not valid lavagrp"
if i check the group with
getent group lavagrp
group exist and system return
lavagrp:x:501:ec2-user,nginx
Someone know how can i garant to my folder var/www full control just for lavagrp users?
thanks in advance
There are a couple of issues with your chgrp command. The ":" character and the 777 parameter are causing the "group not valid lavagrp" error because the chgrp program doesn't understand what these are.
I also wouldn't recommend to set 777 on this folder either. You can achieve the same result using the following commands.
sudo chmod 770 /var/www
sudo chgrp lavagrp /var/www
This means the owner has read, write and execute permissions, the group has read, write and execute permissions and every other user cannot read, write or traverse into that directory.
you can use "setfacl" command like below :
setfacl -R -m g:lavagrp:rwx /var/www
with this command other users have default permission on this dir (in other words The same access as before), but lavagrp's users have 777 access on this directory and sub directories (and files)
I am trying to manage file permissions on a debian webserver that runs nginx, so that wordpress can edit, upload and upgrade without having to use ftp. I also want to be able to login using sftp with my user account.
I am aware of the fact that this question has been asked before, see here
or here, but following the steps in those answers hasn't been satisfying. The setup currently looks as follows:
The wordpress folder is in /var/www/html/
I made a new user ("user") and group ("group"). The server user is
"www-data".
All files in the wordpress folder are owned by user:group.
Both "user" and "www-data" are set to belong to "group".
I changed file and folder permissions as follows:
find /var/www/html/ -type d -exec chmod 2775 {} +
find /var/www/html/ -type f -exec chmod 664 {} +
I set the default umask to 0002.
I would have thought this should work, but currently I can edit and upload files from within wordpress, but not update wordpress, functions or themes.
It also does not work with "group" set as default group for "user" and/or "www-data" (by editing /etc/passwd).
Alternatively, I made all files in /var/www/html/ owned by user:www-data, but also without success.
The only way I seem to get wordpress to update without ftp is by making the wordpress-folder and all its files owned by "www-data". Unfortunately, the result of that is that I cannot upload files using an sftp-client (because the target is now a folder that is not owned by "user").
How can this be? As far as I understand these steps should give wordpress the proper permissions, but something still is wrong.
Your help would be greatly appreciated.
On a debian server I followed these steps. It might not be the most secure solution as I read here, but it works (wordpress can edit, upload and upgrade - and I can upload using sftp).
Create a new user "user"
Create a new group "group" (you can choose to use www-data as group as well)
Add user and www-data to group
usermod -G group user
usermod -G group www-data
Check group numerical id in /etc/group
e.g. group:x:1002
Change default group of www-data and user in /etc/passwd
e.g. user:x:1001:1002:...
In /etc/php5/fpm/pool.d/www.conf (in my case) change group=www-data to ;group=www-data. Now nginx will use the default group of www-data which we just set to "group". Reload service (php5-fpm).
Recursively change owner of your wordpress folder to user:group
chown -R user:group /var/www/html
Change permissions in your wordpress folder (The 2 is to assign new files to the parent folder's group)
find /var/www/html/ -type d -exec chmod 2775 {} +
find /var/www/html/ -type f -exec chmod 664 {} +
Change umask to UMASK 0002 in /etc/login.defs
In wordpress, enforce direct upload (so no ftp) by adding define('FS_METHOD','direct'); to wp-config.php. In my case, this was an essential step.
To get things working, I needed to reboot.
I ran into this issue and I figured that I would share how I fixed it on Ubuntu running PHP 7 in case it can help someone. I adapted the following after reading this article that outlines how it is done with PHP 5.
Nginx needs to be optimized with PHP pools in order to give ownership of files and folders to users.
First, you need to create a new PHP-FPM memory pool. Do this by copying the default memory pool and renaming it with the user that you want to associate it with:
sudo cp /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/username.conf
Edit the file:
sudo nano /etc/php/7.0/fpm/pool.d/username.conf
Go through the file and change username in the following locations:
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[username]
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = username
listen = /run/php/php7.0-fpm.username.sock
Now you need to update your server block(s). You will need to adjust to the correct sockets to allow access to the newly created pool.
Open your server configuration file:
sudo nano /etc/nginx/sites-available/default
Or if you setup server blocks (virtual hosts), then:
sudo nano /etc/nginx/sites-available/example.com
Edit the following line and replace username:
fastcgi_pass unix:/run/php/php7.0-fpm.username.sock;
Finally, restart Nginx:
sudo service nginx restart
I've been using cp -r to duplicate some things in my file system and something bizarre keeps happening...certain directories that are permissioned as 777 have more secure permissions in the target directories I am copying to.
Is this normal behavior?
cp -a might resolve your situation, you need to tell cp to preserve the permissions so that it doesn't inherit them from your umask.
I'm running a CentOS 5.0 server with root access. The /var/www folder was originally set recursively with root as the owner and group. So I did a chgrp -R webdevs /var/www and a chmod -R g+rwx /var/www command to give all members of the webdevs group read/write access. These changes work as required for all preexisting files. However, when user examplewebdev creates a new file in the /var/www directory, the group defaults to examplewebdev instead of webdevs. How do I change the defaults for new file creation?
Try to play with ACLs: man setfacl.
http://www.vanemery.com/Linux/ACL/linux-acl.html#default
I use 'newgrp' command but I think it applies only in the shell you are currently in.