Hi,

I have two users on my webserver. I need both of them to have access to add and remove files/directories from a certain directory but still allow apache to serve the web pages.

The directory I need to share is:
/srv/www/htdocs/website1

I can get one user or the other to have the desired access but not both at the same time.

I tried the following chown settings:
user1:users
user2:users
wwwrun:www
user1:root

The first two allow one user or the other to gain access.

Here is the user/group membership as shown in yast:
user1 - www,dialout,video,users
user2 - www,dialout,video,users

I tried adding user1 to the root group but that didn’t work either.

Could someone please help me figure this out? Also, is it necessary for users to log in and out to gain new permissions like Windows accounts?

Thanks a lot!
rob

This is not a problem that can be solved with traditional Unix permissions. Normally what one would do is make the top directory group owned by users, group writable and with the group s bit on. This ensures that the group ownership propagates to any directories created. (This interpretation of the s bit for directories is an invention from BSD Unix.) The problem is, it is not sufficient to ensure that the group write bit is turned on for files and directories underneath, as well as ensure that the world read bit is on so that Apache can serve the files. (Also the world x bit for directories.) Umask can only mask away permissions, not force them on.

If the users are accessing the directories via Samba, you can get samba to force group and world permissions.

If the users are accessing the directories via ftp, some ftp servers also allow group and world permissions to be forced.

If the users are accessing the directories directly or via sftp, then you have to use POSIX ACLs to do this. The man pages to read are setfacl and getfacl.

Also if you have other users on the system that you don’t want to give access to these directories, then you should use a separate group for this, instead of users.

Is there any way you could post an example? I have been reading setacls and having a bit of trouble understanding. I am pretty much a beginner at UNIX but I try pretty hard to find my own answer thru research and experimentation before posting.

We are accessing the file system primarily using WinSCP which is using sftp with fallback of scp. I’m not sure which protocol the app is deciding on.

I would also like to make sure we have access via the command line. Generally we us PuTTY to connect to the command line.

I have a basic/generic text mode installation of openSUSE 11.0.

I will re-read the suggested man pages and try anything that makes sense.

I did post one other question. Do linux users have to log in and out like windows users to gain their new permissions? From my experimentation, it seems as though this is dynamic but I would like to know for sure.

Here is what I came up with. Could you tell me if this is best practice and if it is secure?

target folder: /srv/www/htdocs/website1

Both users are a member of the USERS group. I set the directory ownership to root:users and permissions to 775.

getfacl:

file: website1

owner: root

group: users

user::rwx
group::rwx
other::r-x

ls -l:
drwxrwxr-x 2 root users 4096 2009-08-29 09:32 website1

Apache still seems to be able to serve the pages and I can write, overwrite and delete files with both users within the website1 directory.

This led to another problem. If I log into the webserver as User1, navigate to the target directory, and create a new directory, I see that User1 is the owner with permissions of 755.

Now if I log in as User2, this user cannot add, change or delete files/directories because the owner is User1 and group permissions are only r-x. User2 does not have write permissions to the directory.

How can I get all nested directories that are created to still allow permission for both of these users to perform add, change, and delete operations?

Continuing research…

To be able to delete a directory, the user must be able to empty it first, so she must have write permission on it. Then the user must have write permission on the parent directory, to delete the directory.

That’s the problem with creation of directories. Without ACLs there is no way to force the group write bit on when the user creates it, so that other people can empty it. So you will have to set an ACL on the top directory that forces group ownership and group write and make it propagate downwards to subdirectories and files. You do this by setting the default ACL of the top directory. See man 5 acl under the section OBJECT CREATION AND DEFAULT ACLs.

If a user has her group membership changed, the user has to logout and login again because the group memberships are read once at start of the session.

That man page has some good information. It expands on what you mentioned here. Unfortunately there are no examples.

I have tried a number of different things such as changing the default ACL. I believe changing the default ACL is what needs to be done so when a user creates a directory, it has permissions that I specifically configure. Nothing that I have tried so far has worked.

I’ll try a few more things and post what I attempted. So far I’m getting nowhere.

Make sure the filesystem in question is mounted with the user_xattr option, otherwise POSIX ACLs are not supported.

From reading the man page of setfacl, it might be something like this (untested):

setfacl -m d:g:users:rwx /srv/www/htdocs/website1

which allows the group users to rwx. Then you can verify with:

getfacl /srv/www/htdocs/website1

I have a default text mode installation of openSUSE. I’ll have to check if the file system is mounted as you pointed out. Is there an easy way to check that?

After I determine that, I’ll try your suggested command line. That looks similar to command line examples shown in the SETFACL man page.

Just run the command “mount”. The output for a filesystem should look something like this:

/dev/sda2 on / type ext3 (rw,noatime,acl,user_xattr)

Actually it’s the acl option that matters according to the man page, not sure if user_xattr is needed to support it, without looking further.

This is what mount reported for the drive mounted to /srv/www/htdocs/website1 (I have a drive dedicated to the site):

/dev/sdb1/ on /srv/www/htdocs/website1 type ext3

My fstab looks like this for the drive above:

/dev/sdb1 /srv/www/htdocs/website1 ext3 defaults 0 0

I will need to research how to configure this correctly but I might configure it like the root partition:

/dev/sda2 / ext3 acl,user_xattr 1 1

I’m not sure what the numbers mean at the end of that line. I will look this up and set it accordingly.

See man fstab for an explanation of those fields.

I set my fstab like this:

/dev/sdb1 /srv/www/htdocs/website1 ext3 acl,user_xattr 0 0

Mount looks like this:

/dev/sdb1 on /srv/www/htdocs/website1 type ext3 (rw,acl,user_attr)

I set the permissions on the website1 directory while I was sitting at /srv/www/htdocs:

setfacl -m d:g:users:rwx website1

getfacl website1 looks like this:

file: website1

owner: user1

group: users

user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:users:rwx
default:mask::rwx
default: other::r-x

When I navigate into /srv/www/htdocs/website1 as user1, I ran these commands:

md test
touch test.txt

The permissions turn out like this:

drwxr-xr-x+ 2 user1 users 4096 2009-09-02 21:14 test
-rw-rw-r–+ 1 user1 users 0 2009-09-02 21:14 test.txt

User2 cannot make new directories or files in the newly made “test” directory created by user1. So it looks like the altered default acl is not accomplishing anything.

If user2 creates a directory, the permissions are what I am striving for: drwxrwxr-x+

Do you have another idea?

You should have done a getfacl on test and test.txt to see what the effective permissions were.

I did a few quick tests.

If you do

setfacl -m d:g:users:rwx d

then the group users cannot create in d, e.g. mkdir d/d or touch d/f

However if you (the owner) first do:

mkdir d/d

then the group users can create and delete in d/d, e.g. mkdir d/d/d or touch d/d/f, and the inheritance works as advertised.

I can’t explain this, maybe it’s to do with the existing defaults on the top directory.

So in your case

mkdir d
setfacl -m d:g:users:rwx d
mkdir d/website1
mv website1 website1.old
mv d/website1 website1
rmdir d

should get you going.