I must have missed something about permissions ! I hope someone can tell me what.
Since I reinstalled openSuse (motherboard down), wwwrun can’t write any longer on my local site logs (like errorlog), though permissions are the same ones.
With those ownerships and permissions (664) :
-rw-rw-r-- 1 erik wwwrun 7864 29 sept. 19:50 errorlog
wwwrun won’t be allowed to write to errorlog.
Precision : the path is executable.
Of course if I change the permissions for 777 there won’t be any problem, but, even if I doubt anybody could hack my machine, and the local site is only designed for development, I prefer use more secured permissions. And, as I told before, it was working fine before with the same set of permissions. So what went wrong ?
Another way to make it work is to change owner for wwwrun. But this time it’s me (erik) who can’t edit the logs. That leads me to my main question: why can wwwrun write to a file as owner and not as a member of a group, when in both cases it has the same permissions (and especially write ones) ?:\
I think I haven’t understood all the subtleties of permissions. Could someone uncover them for me?
YaST2 users shows that wwwrun is the Apache WWW Daemon and belongs to groups www and wwwrun. I thought it was the default configuration… should I have already altered it? Don’t remember of having done that.
I don’t know the difference between primary or not primary groups. Nor how to check it, of course.
What you see when YaST > Users and Group says “WWW daemon apache” is the string in the user definition (in /etc/passwd) that explains why that user is there. It is used for running Apache (server/daemon), not the daemon itself.
See:
grep www /etc/passwd
The primary group of a user is the group mentioned in the /etc/passwd entry of that user. It is in effect the group the user belongs to in the first place. Users can also be attached to other groups in the system. So they can use the group permissions of files owned by another group. You could e.g. add group www to a user (created by you) that has a different primary group (e.g. users), to enable that user access allowed by the group permission bits of files owned by grouo www. That user could then edit e.g. the pages of the web-server.
I see that I also have two groups related to www: www and wwwrun. I am not sure why the second is there. In any case, when user wwwrun must be able to write in that file, it should be a member of the group wwwrun. Check:
Thanks to both of you for your replies. I didn’t have time to deal with this problem since my last post.
I actually had misconceptions about users and groups.
I thought that a user is necessarily member of the group with the same name. Obviously it is not the case:
So my previous owner and group permissions in the local web server:
-rw-rw-r-- 1 erik wwwrun 9830 2 oct. 20:32 errorlog
could not allow Apache to write into logs.
I just changed wwwrun for www and that’s it.
Something confused me (and still does) :
when I look into YaST2 users (GUI), I see on the first tab that wwwrun is member of www and wwwrun. But if I try to edit this line, wwwrun is not checked as a group of which wwwrun is a member ;
with groups (second tab) : group wwwrun has erik and wwwrun as members - when editing, wwwrun is not part of the main list (where erik is checked), but it is checked in a greyed area below.
I am not sure I fully understand your description of what you see in YaST > Users and Groups (that is why we love CLI commands and their output in the forums, they show without further explanation how things are)…
But I try to guess what you may have found.
You probably stumbled into the fact that you can not remove the primary group of a user.
In the group definitions you can add users (often an advice given when something “does not work”, most often a bad advice though). But the primary group is coupled to a user in the user definition. It can not be removed because a user must have a primary group. It can be changed to another group, but that must be done in the user definition (I guess the Users tab of the YaST screen).
So, I do have the group wwwrun (do not know why) and it is not used at all, because it is not used as primary group for any user (please believe me, I did check that) and as you see it has no others users attached.
The group www (GID=8) is the primary group of user wwwrun (see the third field there).
Also wwwrun is mentioned as a group attached to group www. Superfluous!
I went away for a week ; coming back… I try to understand this issue again - which in fact is not an actual issue, since replacing group “wwwrun” with “www” works well. I would just like to understand and the same question remains : why does it work with www and not with wwwrun since user wwwrun belongs to group wwwrun?
erik@trano:~> id wwwrun
uid=473(wwwrun) gid=461(wwwrun) groupes=462(www),461(wwwrun)
These permissions are OK:
erik@trano:/srv/www/vhosts/acmpsmorg.local/compta/logs> ls -l
total 40
-rw-rw-r-- 1 erik www 11143 7 sept. 20:53 erplog.json
-rw-rw-r-- 1 erik www 17331 9 oct. 10:04 errorlog
-rw-rw-r-- 1 erik www 301 7 sept. 20:53 productlog.json
-rw-rw-r-- 1 erik www 2 7 sept. 20:53 reversinglog.json
-rw-rw-r-- 1 erik www 0 7 sept. 20:53 userlog.json
But with the following ones, Apache daemon can’t open logs for writing:
erik@trano:/srv/www/vhosts/acmpsmorg.local/compta/logs> ls -l
total 40
-rw-rw-r-- 1 erik wwwrun 11143 7 sept. 20:53 erplog.json
-rw-rw-r-- 1 erik wwwrun 17331 9 oct. 10:04 errorlog
-rw-rw-r-- 1 erik wwwrun 301 7 sept. 20:53 productlog.json
-rw-rw-r-- 1 erik wwwrun 2 7 sept. 20:53 reversinglog.json
-rw-rw-r-- 1 erik wwwrun 0 7 sept. 20:53 userlog.json
(And of course owner wwwrun + group wwwrun is working too).
Maybe I missed something in your explanations. Should it be the case, I would be grateful to you if you could explain it to me again…
How do you expect anyone to answer this without knowing actual credentials of process that fails to access these files?
These permissions are OK:
But with the following ones, Apache daemon can’t open logs for writing
You show files with different groups but with identical sizes and modification times. You do not show any actual error message which could give some hints and you do not show any proof that these files can be accessed with either file owner group.
Show the actual logs which demonstrate the problem for the case that works and for the case that does not. Show the actual credentials of the process that failed to access these files:
Hi, thanks for pointing out this lack of information. The files I showed were modified within a few seconds just for the purpose of checking. And I do not understand why I have to verify wwwrun credentials, since they allow it to write to the logs when it is declared as owner - I know it doesn’t work (when only wwwrun group is attached to the log files) from the error message that is sent by the php file as coded in a try-catch block. I am wondering why you do not request me to use your command??? You’ll have probably noticed that my skills are limited. I’ll try to proceed a bit further after a good night :).
I have no idea what “wwwrun credentials” is supposed to mean. I said to verify credentials of process that fails to access files and in the followup post I demonstrated that this process (apache server) only has group “www” and does not have group “wwwrun” either as primary or one of supplementary groups. Which explains why it fails to access files owned by group “wwwrun”.
:\