When developing in a team environment, file permissions quickly become a complex issue. Even more when using several frameworks, each one with its own permission requirements, and deploying them on different platforms. Apache on Ubuntu normally runs with user and group "www-data". On Fedora/CentOS, it runs under user and group "apache". A problem arises when using SVN or FTP to manage a web server. Some users require access to specific folders, while keeping Apache secure.
- The bad approach is to set all permissions to 777, which means that everyone can do everything, but actually is nothing more than saying "I give up" on the permissions.
- A better solution is to assign a group called "ftpusers" or "svnusers" and change the group rights by issuing something like "chmod -R g+rwx ". That still leaves the problem that any file created by Apache such as caches and uploads can not be modified by these users, unless you also change Apache's default mask. You can also tweak the FTP daemon to upload everything as user "apache" or "www-data", and change the default mask. No matter what you try, you normally still have to give sudo rights to the svnusers group.
However, I find these too complex and too error-prone to be efficient and secure in a production environment, and I like to reserve sudo for the configuration of the server.
Access Control Lists
Access Control Lists (ACLs), which are not installed by default on Linux, actually come with Windows NT and above, and Mac OS X since Tiger (10.4) and above. The ACL system allows you to set multiple user and groups permission at the file level, and gives you enough granularity to build a house of card, so use them wisely. With them, you can manage your FTP, SFTP, and SVN users more effectively. Here are the commands to use (all command starting with "#" mean sudo rights, and "$" mean user rights).
ACL Installation and Testing
- Install ACLs with your favourite package manager (here Ubuntu/Debian):
# apt-get install acl
- Find your root filesystem, the one which is mounted on "/" (here /dev/sda1):
$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 78441416 37512344 36944544 51% / tmpfs 1048684 0 1048684 0% /lib/init/rw varrun 1048684 48 1048636 1% /var/run varlock 1048684 0 1048684 0% /var/lock udev 1048684 2740 1045944 1% /dev tmpfs 1048684 0 1048684 0% /dev/shm
- Remount the root partition:
# mount -o remount,acl /dev/sda1
- Test it:
$ getfacl / getfacl: Removing leading '/' from absolute path names # file: . # owner: root # group: root user::rwx group::r-x other::r-x
The command reads as "get file access control list for root". As you can see, the UNIX permissions are transparent to ACLs. If you get "command not found" then the package did not install properly. If you get "operation not supported" then the drive was not mounted properly.
Modify /etc/fstab to activate the ACLs on reboot.
- Find your web partition, and insert "acl" and a comma before the word "default". For example, for the root partition, the following line:
UUID= / ext3 relatime,errors=remount-ro 0 1Becomes:
UUID= / ext3 acl,relatime,errors=remount-ro 0 1
- Ultimately, you should test that ACL survives a reboot before going any further.
- To give all users of group "svnusers" access to your web root, you would issue something like this:
# setfacl -R -m g:svnusers:rwx /var/wwwThe command read as "set the file access control, recursively to all subfolders, modify the group svnusers, adding read, wrtite and excute privileges, starting at the web root folder".
- To ensure that new files created inherits the proper rights, you also need to set you set the default rights, by using the same command again with a "d":
# setfacl -R -m d:g:svnusers:rwx /var/www
- Test ACLs:
$ ls -al /var/www total 80 drwxr-xr-x+ 6 www-data replicator 4096 2010-11-24 17:09 . drwxr-xr-x 16 root root 4096 2009-10-06 12:55 .. -rw-r--r--+ 1 www-data root 52130 2009-10-06 11:18 index.htmlThe "+" sign at the end of the permission list indicates that ACLs are present for that file or folder, which you can get:
$ getfacl /var/www # file: var/www # owner: www-data # group: www-data user::rw- group::r-- group:svnusers:rwx mask::rwx other::r--
- Remove ACLs:
# setacls -R -b /var/wwwWhich reads "set the file access control, recursively to all subfolders, to blank (nothing), starting at the web root folder".
ACL and UNIX Utilities
ACLs are not preserved by commands such as cp, mc, tar, or svn because ACLs can only be set under sudo rights. This ensures nothing get ported from one system to another! However, if you still need to preserve them in a particular case, you can use the "star" utility to replace "tar":
# apt-get install star
By using ACL, you can greatly simplify the management of web servers by completely segregating the needs of various users of a system from the needs of Apache.