Vhosts: Filesystem Permissions

This document explains the filesystem permissions on CAE's general purpose vhost system.

The Simple Way

If you're having file permissions issues with your vhost the easiest thing to do to fix them is to login to the vhost control panel at https://my.cae.wisc.edu/tools/account/vhosts/ and use the Change Permissions button to reset them back to sane defaults. This process will ensure that they remain sane through nearly all circumstances, so you should only need to do this once. In most scenarios you do not need to check the Allow the webserver to write to files. checkbox and your site will be safer if you do not.

The Detailed Way

Background

In our system each vhost has an editing group who is given write access to the files in a vhost container.

Each vhost also has a web user that runs the apache process that serves those files. In order for the web user to serve those files, it must be able to read them.

In the past, since all sites shared the same web user (eg: httpd) and the system didn't support extended filesystem access control lists this meant making your vhost files world readable. In the case that the web user needs to write to those files, in the past this meant making your vhost files world writable (or very nearly).

In the new system, since each vhost runs as a different user and the underlying filesystem supports extended access control lists, we can be more restrictive and thus provide better security.

Assuming your vhost's editing group is sveg, then the web user that serves your site's files is web-sveg.

Basic Access Modes and ACLs

Reading and understanding basic access modes and ACLs

For generic read access by the web user the following access rights are necessary and sufficient to allow
a) your editing group to read and write files and list directories
b) your site's web user to read files and list directories

  • Files need the following rights:
    $ ls -l /home/vhosts/somevhost.cae.wisc.edu/html/index.php
    
    -rw-rw----+ 1 bpktest sveg 269 Aug 11  2009 /home/vhosts/somevhost.cae.wisc.edu/html/index.php
    
    $ getfacl /home/vhosts/somevhost.cae.wisc.edu/html/index.php 
    
    # file: home/vhosts/somevhost.cae.wisc.edu/html/index.php
    # owner: bpktest
    # group: sveg
    user::rw-
    user:web-sveg:r--
    group::rw-
    group:sveg:rw-
    mask::rw-
    other::--
    

    NOTE: There are two command outputs shown here.

    The first is a simple long directory listing of a given file. In the first column of the output you can see that the file is (a) readable and writable (rw-) by the file owner and the vhost editing group, which are listed in the third and fourth columns respectively. The + at the end of the first column also indicates that the file has extra ACLs (access control lists).

    In the second commands output we can see those ACLs which include a special (b) read-only (r--) access control entry for the web user of the vhost web-sveg. One can also see that the other (ie: world or anonymous) user has no access.

  • Directories need the following rights:
    $ ls -ld /home/vhosts/somevhost.cae.wisc.edu/html
    
    drwxrws---+ 14 bpktest sveg 4096 Jan 18 13:19 /home/vhosts/somevhost.cae.wisc.edu/html/
    
    $ getfacl /home/vhosts/somevhost.cae.wisc.edu/html
    
    # file: home/vhosts/somevhost.cae.wisc.edu/html
    # owner: bpktest
    # group: sveg
    # flags: -s-
    user::rwx
    user:web-sveg:r-x
    group::rwx
    group:sveg:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:user:web-sveg:r-x
    default:group::rwx
    default:group:sveg:rwx
    default:mask::rwx
    default:other::---
    

    NOTE: There are two command outputs shown here.

    The first is a simple long directory listing of a given directory. In the first column of the output you can see that the directory is (a) readable and writable (rw) and listable (x) by the owner and the vhost editing group, which are listed in the third and fourth columns respectively. Additionally the group field has an s (for sticky) to indicate that new files created in the directory will receive the same group ownership as the directory. The + at the end of the first column also indicates that the directory has extra ACLs (access control lists).

    In the second commands output we can see those ACLs which include a special (b) read and list (r-x) access control entry for the web user of the vhost web-sveg. Additionally, we see default entries that determine what ACLs new files created in the directory will receive. This helps ensure that your site will in general continue to operate as expected, regardless of how you manage your files. One can also see that the other (ie: world or anonymous) user has no access.

For more details on Unix Modes and ACLs please see the following links:
http://en.wikipedia.org/wiki/Modes_(Unix)
http://en.wikipedia.org/wiki/Chmod
http://linux.die.net/man/1/getfacl

Resetting Basic Access Modes and ACLs

Should you need to reset these rights on your vhost, the easiest way is to use the tools at https://my.cae.wisc.edu. However, following set of commands should also do the trick. Be sure to look for errors in these commands as they will likely indicate files/directories that you have lost access to. In that case you may need to contact helpdesk@cae.wisc.edu for assistance.

  1. Make sure your editing group owns all the files and directories in the site and that members of that group can edit those files:
    # chgrp -R sveg /home/vhosts/somevhost.cae.wisc.edu
    # chmod -R g+rw /home/vhosts/somevhost.cae.wisc.edu
    
  2. Reset all the extra ACLs on your site's files:
    # setfacl -b -k -R /home/vhosts/somevhost.cae.wisc.edu
    
  3. Apply the correct ACLs and default ACLs on your site's files:
    # setfacl -R -m u:sveg:rwX /home/vhosts/somevhost.cae.wisc.edu
    # setfacl -R -d -m u:sveg:rwX /home/vhosts/somevhost.cae.wisc.edu
    
    # setfacl -R -m u:web-sveg:rX /home/vhosts/somevhost.cae.wisc.edu
    # setfacl -R -d -m u:web-sveg:rX /home/vhosts/somevhost.cae.wisc.edu
    
  4. Apply correct modes on files in your site:
    # find /home/vhosts/somevhost.cae.wisc.edu -type f -exec chmod -c 0660 {} \;
    
  5. Apply correct modes on the directories in your site:
    # find /home/vhosts/somevhost.cae.wisc.edu -type d -exec chmod -c 2770 {} \;
    

For more details on these commands please see the following links:
http://linux.die.net/man/1/chmod
http://linux.die.net/man/1/chgrp
http://linux.die.net/man/1/setfacl

Granting write access to the web user to some files or directories

While the tools at the vhost control panel mentioned above will allow you to grant the web user of your vhost write access to all your vhost's files, it is usually more desirable to limit its ability to write to a select few files and/or directories.

Assuming you've first followed the resetting permissions steps given above, granting write access to files/directories can be done as follows:

  • To grant the web user access to write to a single file:
    # setfacl -R -m u:web-sveg:rw /home/vhosts/somevhost.cae.wisc.edu/html/somefile.html
    
  • To grant the web user access to write to some directory, including all subdirectories, and files created in the future in that tree:
    # setfacl -R -m u:web-sveg:rwX /home/vhosts/somevhost.cae.wisc.edu/html/somedirectory
    # setfacl -R -d -m u:web-sveg:rwX /home/vhosts/somevhost.cae.wisc.edu/html/somedirectory
    



Keywords:vhost vhosts file filesystem fs permissions perms ace acl facl getfacl setfacl chmod chown chgrp editing group wordpress drupal   Doc ID:23170
Owner:Brian K.Group:Computer-Aided Engineering
Created:2012-03-14 13:23 CDTUpdated:2016-07-05 14:11 CDT
Sites:Computer-Aided Engineering
Feedback:  2   0