Need help understanding group permissions

So here’s my setup:

Opensuse 11, 64bit server.
Opensuse 11, 64bit client.

In a directory on my server I have the files for a website. The permissions were: reg:users, “reg” being me. This works fine through “svn” I can update, change, delete and so on.

However, PHP could not write to the directories. So, I changed the owner to wwwrun:www to see if that would fix it. Sure enough it predictably was able to write to files, but of course I could not.

So, I set up a new group call “web-dev” and added both myself and apache2 to the new group. I then set the permissions on all of the files and dirs. to 775 - this to mean, as far as I understood, that the owner and the group could do anything to those files.

I then changed the group on all the files and dirs. to “web-dev”.

Ok, so I would have thought that with myself and apache2 both members of “web-dev” and permissions being 775 and all files and dirs. in question having the group “web-dev” that both me and apache could now write to them.

Not so, still only the owner can write unless I change the permissions to 777 which of course is not desirable.

I have my firewall turned off (while I’m getting this all going) and apparmor also disabled. It’s fine to be that way for the short term since this server is for my LAN and is behind my business class router.

The application (Aptana/svn) that I access the files through is on the client linux computer and connects through “http” (which I find ironic) to the server.

Just as one last try, I created the “web-dev” group on my client computer, and added “reg” to the group. Now I have the group on setup on both computers and both “reg” and “web-dev” have the same ID’s on both computers as well.

I’m sure it’s just a lack of understanding my part as to why this group setup is not working, could someone please tell me what I need to do to make groups able to write to files, not just the owner.

When you say you added yourself and apache2 to this new group, I hope you meant that you (effectively) added this to /etc/group:

web-dev:x:NNN:you,wwwrun

because the apache2 account is called wwwrun.

I then changed the group on all the files and dirs. to “web-dev”.

Fine, but there is another thing you have to do. You have to logout and login again, because group membership is only read once, at login. The apache2 server has to be restarted, because, similarly, the server’s group membership is evaluated at service start.

The application (Aptana/svn) that I access the files through is on the client linux computer and connects through “http” (which I find ironic) to the server.

Just as one last try, I created the “web-dev” group on my client computer, and added “reg” to the group. Now I have the group on setup on both computers and both “reg” and “web-dev” have the same ID’s on both computers as well.

I’m sure it’s just a lack of understanding my part as to why this group setup is not working, could someone please tell me what I need to do to make groups able to write to files, not just the owner.

If you are always accessing the files through HTTP, then the user that matters is the apache2 user (wwwrun), and it would have been sufficient to make the files owned by wwwrun.

A process does have only the privileges of the user and the group it is RUNNING with.

Adding a user to a group in /etc/groups does only mean that a user may ATTACH to that group.

Adding *wwwrun *and *reg *to the group *web-dev *means that they may use that group, but not that they do perse. As a user you will get at log in your primary group (as mentioned in /etc/passwd) and then you can change to another group with **newgrp **command.

Comming back to what you want, IMHO you better let your Apache run as it it did and remove the web-dev group (and revert group ownership of the files). When you want to work on your website data, either do a **nwgrp **or (would be my solution) make a new user with primary group *www *just for www- mnagement.

I prefer that last solution because I then have a good seperation of roles and that is one of the basics of security. Also there are no changes in your Apache/PHP environment which will come very handy when you update to another OS level or migrate the service to another system.

Thanks for your replies. There are a couple of things that don’t make sense, and perhaps one or two more pieces of information I need to give.

First, you need to restart apache for group permissions:

This doesn’t make sense to me but I am very new and probably missing some key point. I thought security was handled on the OS level and should have immediate effect? What security doesn’t work immediately… that’s kind of a prerequisite to security being useful isn’t it?

web-dev:x:NNN:you,wwwrun

Yes, I just checked the group file and that it what it looks like. However, I made the user and group changes through yaST instead of editing the files directly.

If you are always accessing the files through HTTP, then the user that matters is the apache2 user (wwwrun), and it would have been sufficient to make the files owned by wwwrun.

I think this is special case otherwise my app. would have not been blocked when I changed permissions to wwwrun:www and worked when I changed them back to reg:users. The difference here being that it is using “DAV” and an “SVN DAV” plugin to apache (versioning control software), it probably does something to make the user credentials sent from the app. what counts instead of apache.

A process does have only the privileges of the user and the group it is RUNNING with.

Adding a user to a group in /etc/groups does only mean that a user may ATTACH to that group.

I suspect this is meat of my lack of understanding. So please excuse a small list of questions here but I think this will make it crystal clear how permissions/users/groups work if can get these answered:

I assume user permissions override group permissions. That is, if a user is reg:users and a file he works on has reg:users permissions then the permissions for “reg” would apply and not the group.

However, if reg:users was to work on a file with john:users then the permissions for “users” would apply.

If a user is a member of many groups then I would assume that that whatever file/dir. that user is working on, as long as a user is a member of the group of that file/dir. then they would have the group permissions, unless of course the user was the owner in which case the user’s permissions would apply.

From what I am reading, I’m getting the feeling it is not that simple and there is a “primary group” factor to take into account. Is this the case?

And if so, why would you even bother to make it possible for a user to be a member of multiple groups which you can do so very easily?

Ok, the group in /etc/passwd is the primary group. Those specified in /etc/group are called supplementary groups. As far as the permission system is concerned, membership in either is equally good. I think there is a limit on supplementary groups, 32 IIRC.

The reason why a session has to be restarted after changing groups is that group membership is only read in once at login time by a process leader and thereafter inherited by children processes. It’s just the way Unix/Linux works in this regard so we have to live with it. So you can see group membership is not something one should change often. You can see the groups one belongs to with the command

groups

If you add yourself to a group in /etc/group and then run groups, you will not see it change until you login again.

As for how access works with owner and group permissions it goes like this:

if the object is owned by uid
then
  check owner bits
  if allowed, give access
  else deny access and finish
else if object is group owned by gid
then
  check group bits
  if allowed, give access
  else deny access and finish
else
  check world bits
  if allowed give access
  else deny access

If you read carefully you will see that it is possible that an owner cannot access an object even though his group can, because once owner access is denied, group access isn’t checked. Ditto for group and world permissions. So it is possible that an owner can have less permissions than his group. Again, this is how it works.

Another thing to remember is that the whole path is checked, not just the last component of the path. This means that you also need sufficient permissions on directories all the way from /. In particular you need the access bit (x).

Very clear and concise, thanks!

Your decision tree was great - you speak the language of a programmer to a programmer, couldn’t be easier.

One last question:

If I add a group to “reg” but I am logged in as “root” will the change for reg be immediate or do I still need to log out/in as root?

BTW, I just restart apache now knowing that groups are loaded on startup and now my group setup works just like it should thanks.

It’s nothing to do with what root has to do. It’s reg that has to login to get the new group. If reg is not logged in then it will happen next login. If reg is already logged in, then he has to logout and login.