I'm currently in the process of switching from an Ubuntu 18.04 VirtualBox to the WSL.
Everything is up and running to have a complete web dev environment.
Unfortunately, the file permission and ownership is kind of a problem for me right now.
--- Disclaimer---
I know that in a server environment this would be pretty bad and wouldn't be done.
This is just for my local development process and this requirement will stay there.
What I want to achieve is, to have a consistent set of permissions and ownerships within my /var/www (and all below).
Every element within /var/www should be owned by my shell user, regardless if file or dir.
Every element should have the group www-dataso that the webserver user have access.
Each file should have permission 0664 and each directory 0775.
every new element should follow these requirements.
What I researched so far:
If I make a new directory/ file from the shell or within VSCode, my user and group are used.
If I make a new directory from the windows explorer, the ownership is root:root. Nevertheless, I also have to figure out how to set default permissions for new objects.
I just want an easy to use way to CRUD my files from anywhere I am on my system.
Is there anyone with an idea for this?
Thanks a lot, Danaq.
Edit: It would also be ok, to set everything to www-data:ww-data and add my shell user to the www-data-group if the permissions are applied like explained above.
According to this, newer versions of the Remote-WSL server, when they get started will execute (if present):
~/.vscode-server/server-env-setup
~/.vscode-server-insiders/server-env-setup
(more on that)
So a solution is to execute:
# this will affect folders created from the editor
mkdir -p ~/.vscode-server/ && echo "umask 002" >> ~/.vscode-server/server-env-setup
mkdir -p ~/.vscode-server-insiders/ && echo "umask 002" >> ~/.vscode-server-insiders/server-env-setup
# this will affect folders created from terminals
echo "umask 002" >> ~/.bashrc
For everyone encountering the same issue and find this question:
Under ~[USER~/.profile I uncommented the umask-property and set it to 002.
This will, according to this guide, set all new created file to 0664 and all new directories to 0775.
I then added the www-data-user to the group of my shell-user with
sudo usermod -a -G www-data [GROUP].
So now, every file I'm creating is owned by and within the group of my shell user. But it can be red by the www-data-user too. This should lead to not always using the
find ./ -type d -exec chmod 775 {} \;
the command to set the right permissions on all directories of a web project after migration for example.
This solution does only help, if the files and directories are created from the WSL-bash. If you are using the explorer or trying to create a file from the VSCode-terminal, the default umask of 022 will be still applied.
Related
I have a working Centos/Plesk (18.0.40 Update #1) environment running Plesk-Scheduled-Tasks with no problems, and I have a new machine that should be a duplicate of that machine (Plesk 18.0.42 Update #1) that is failing to run the Plesk-Scheduled-Tasks (reporting "No such file or directory" on all the tasks that I have added).
Eliminating as many permissions factors as possible, I am testing a scriptless task running "whoami" will work on the original machine but shows an "-: whoami: command not found" error message on the new.
Note, I am also declaring tasks at the domain level - if I was to add a top level task (where it prompts you for the System user) then it can use root and therefore works - but I do not want these tasks to run under root.
Clicking "Run Now" gives the following:
Hiho.
The run scheduled tasks and also the shell access if it´s enabled for your subscription is mostly chrooted. So you have only a minimum on commands which you can use here.
If you open your subscription via FTP Client you should see a bin folder in there. In the bin folder are all commands you are able to use in the chrooted shell.
Example on one of my subscriptions:
bash cat chmod cp curl du false grep groups gunzip gzip head id less ln ls
mkdir more mv pwd rm rmdir scp sh tail tar touch true unrar unzip vi wget
I would like to know the answers and explanation to the following questions:
Which user/group should own the cake files?
If different, which user/group should own the app/tmp folder? (and subfolders)
With the right user/group, what are the correct permissions for production of both folders and files? (which also if set correctly should work on development)
Where is storing of uploaded files done and what ownership/permissions need to be set to that folder. Where should it be relative to app/?
I know 777 fixes errors, but I would like to set it up correctly.
I have heard 660 should be more than enough for production if everything is correctly set up.
Who needs to have read access, who needs to have write access and does anyone need execute?
NOTE: I think I have found the answers and since no one has written a good answer, I will write it.If you are more knowledgeable on the topic and see errors or security issues please let me know, I will correct them.
1) CakePHP ownership
The CakePHP files should be owned by you, the user of the machine (whatever you log in with). Do not have root as owner!
OSX: the johnsmith part of /Users/johnsmith
Linux: the johnsmith part of /home/johnsmith
2) app/tmp ownership.
As per CakePHP documentation:
...make sure the directory app/tmp and all its subdirectories in your
cake installation are writable by the web server user.
Option 1:
The user owner needs to be apache's user. The group owner can be the group that you belong to, so that you also have access to this folder through finder/CLI. Do not have root as owner!
OSX: Apache is preinstalled on OSX lately and the default user of apache is _www. However if you are not sure you can find it out by typing terminal ps aux | grep httpd while apache runs. The last line is the command you just typed, so look above it.
Now that you know your apache user, you have to assign it to app/tmp/. You do this with the following command: sudo chown -R _www app/tmp/
Linux: The default user on linux is usually www-data with group www-data. If you are not sure, use ps aux | grep httpd to find out the user and sudo chown -R _www app/tmp/ to assign ownership to apache of that folder.
Option 2:
You can keep yourself as the user owner, but you set up the group owner to be the a group that apache belongs to. By default apache has it's own group, but you could create a new group and add apache to it.
OSX: The group of apache on OSX by default is the same os the user: _www. You then have to run the following command to se up the ownership: sudo chown -R :_www app/tmp/. Now if you check the permissions with ls -l you should see both your username (johnsmith) and the new group owner - _www.
Linux:* By default the group of apache is www-data so use the same commands to change ownership: sudo chown -R :www-data app/tmp/.
NOTE: Debian/Ubuntu use www-data, while CentOS uses apache.
3) Permissions
For the site to run, apache needs read and write without execute. For you to access it (assuming you are in the group that owns app/tmp) you also need read and write if you will edit manually things with terminal/finder. All other users should have no rights whatsoever. So:
OSX&Linux: sudo chmod -R 660 app/tmp/. The -R part is to do it recursively for all inside folders. The first 6 is for the user owner (OSX:_www or Linux:www-data), the second 6 is for the group owner (OSX:staff or Linux: johnsmith), the 0 is for all other users/guests.
NOTE: According to this pull request for CakePHP it looks like CakePHP 2.4 will have ability to create subfolders in app/tmp/ which means it will need a 7 instead of 6 for the user now becoming 760.
4) Uploads folder
If you want to upload files, you need a similar setup for the img/uploads folder, or wherever you upload. The ownership will be the same, but the permissions need to have execute rights for renaming purposes and folder creation. so the previously 660 should now be 760. Also, ideally, the uploads are out of the webroot/ directory, for which an absolute path is required.
For all files in app/tmp and subfolders you only need rw for the web server process and if needed to use the CLI, the console user.
If someone runs console commands with a user that has super rights or is in the wrong group it messes up things because what one creates can't be read or written from the other and then there are warning or failure messages. Some people (including me when I'm too lazy) fix that with 777 :)
I've been trying to make ssh connection using Cygwin, but it doesn't recognize my id_rsa public key file.
My command lines are as follows:
$ssh XXX#XXX -i /home/XXX/.ssh/id_rsa
Warning: Identity file /home/XXX/.ssh/id_rsa not accessible: No such file or directory.
Permission denied (publickey,XXX).
(Sorry, I used XXX for the private information.)
I copied my .pub file to C:\cygwin\home\XXX.ssh folder. But it still spits out the same error message.
Thank you so much in advance.
Background
Most cygwin executables, map Unix path /home/XXX/.ssh/id_rsa to Windows path C:\cygwin64\home\XXX\.ssh\id_rsa. Except that ssh.exe maps the same Unix path to Windows path C:\home\XXX\.ssh\id_rsa.
That is if you do cat ~/.ssh/id_rsa, it will print out the contents of C:\cygwin64\home\XXX\.ssh\id_rsa, but if you do ssh XXX#XXX -i /home/XXX/.ssh/id_rsa it will try to read the key from C:\home\XXX\.ssh\id_rsa.
I assume this is bug in Cygwin. In any event, this is a workaround that worked for me (on Windows 10 and the latest version of Cygwin as of October 2020).
Solution
Open Administrator command prompt. Go to C:\ and issue the command mklink /D home c:\cygwin64\home
That's it.
But for me tat least, once I solved the above problem, I started getting the problem described in this Superuser question https://superuser.com/questions/1296024/windows-ssh-permissions-for-private-key-are-too-open. I used the solution from the most upvoted answer and ssh finally worked for me.
From your post it looks like SSH is looking for /home/XXX/.ssh/id_rsa and is not finding it. Ensure that the .pub file you copied is named correctly and has the right permissions.
Try putting the option before the hostname...
I have some web service + some shell scripts which I want to execute with cron.
The problem is with the tmp directory.
To make webservice work I had to run command sudo chown -R www-data:www-data app/tmp (www-data is group and user used by apache)
The problem is that then when I execute CakeShell with some user I get lots of errors telling that some files in app/tmp dir are not writable - this is because tmp dir is owned by www-data...
I can run those scripts with root user - then I don't get any errors...
When I run scripts with root user, from time to time those scripts modify some files in app/tmp and then I got many errors on webservice (website) that some files in app/tmp are not writable. It seems that runing scripts sometimes modifies tmp files with permissions of user executing those scripts.
I want to execute those scripts from cron.
And my questions are:
What is correct setup for app/tmp dir (permissions, user, group etc) and how I can set it up to get both webservice and executing scripts from shell working?
Is it possible to set up permissions to app/tmp dir to allow writing and reading it for all users and groups? Is it good idea?
If you do not use a shared webserver, you can use a permissive ownership:
chmod -R 777 app/tmp
If you own the server/VPS, it's not a security hole, since the more sensible user (www-data) already have access.
OR
You can run the crontab "in name of" www-data user, using the command su
I am working on a CakePHP 2 project. It originally started out in 2.0.x and then recently migrated to 2.1.0. Throughout the whole development process, I have been receiving the error message below.
It pops up at the top of the page unpredictably. It can be when I am just viewing different pages, or even after I add a record to the database (yet the record properly saves).
Warning:
SplFileInfo::openFile(/var/www/cake_prj/app/tmp/cache/persistent/cake_core_cake_console_):
failed to open stream:
Permission denied in
/var/www/cake_prj/lib/Cake/Cache/Engine/FileEngine.php on line 293
I recursively set the owner and group of the tmp folder to apache, and still received the message. In addition, I then recursively set the permissions to read, write, and execute for all (chmod 777). The error message still pops up.
Even after changing both the owner, group, and permissions, the file in question:
cake_prj/app/tmp/cache/persistent/cake_core_cake_console_
will have its owner and group set back to root, and its permissions set back to default.
What could be causing this problem? Is there a way to ensure that every time this file is generated, that it will always have be apache:apache with read/write/execute permissions?
You can resolve this by adding a mask to your config in core.php
Cache::config('default', array(
'engine' => 'File',
'mask' => 0666,
));
There was a bug report there http://cakephp.lighthouseapp.com/projects/42648/tickets/2172 but it was considered as not being a bug.
What I personaly noticed is that some file owner may be modified when you use the cake script in the console (for instance to make a bake). The modified files then belong to the user you use in the console.
Would this mean you call cake while being root ? Or do you have any root cron job that calls a Cake shell script ?
Personaly I have now the habit to chmod the whole tmp folder content back to the apache user after having used the cake script and it seems to prevent the warning to appear.
Instead of setting giving read/write access to everyone on the tmp/cache directory I did this:
chgrp -R www-data app/tmp
chmod -R g+rw app/tmp
find app/tmp -type d -exec chmod g+s {} \;
Setting the group of the directories to the Apache user and then setting the setgid bit will allow you to ensure that files created in that directory get the proper group permissions regardless of what user runs the shell script. This also allows you to exclude read/write permissions to "other" users.
I think the reason of the problem is already explained, as the cron runs under root user and created files in tmp are not accessible by web user. The other solutions did not work for me and I did not want to set tmp permissions to 777, I ended up setting a cron job for the web user, in debian specifically it would be
crontab -u www-data -e
Taken from this answer How to specify in crontab by what user to run script?
If you're encountering the SplFileInfo error in CakePHP2 and you're absolutely certain that your file/directory permissions are set up properly, then one other thing to check is your PHP version. Cake2 requires PHP 5.2.8 or greater and although you'd usually be alerted on the default page if you were using the wrong version, you wouldn't be alerted if you'd developed your app on one server and then moved it to another.
I experienced this error after developing a Cake2 app on a PHP5.3 server and then moving it to a PHP 5.1 server. Upgrading to 5.2.17 (which is above 5.2.8) solved the problem.
Use this ..
cd cakephp/app/tmp/cache/persistent
sudo chmod 666 myapp*
cd ..
cd models
sudo chmod 666 myapp*
You need to make the app/tmp directory writable by the webserver. Find out what user your webserver runs as (in my case _www) and change the ownership of the app/tmp directory to that user: $ chown -R _www app/tmp
Another solution. Permission conflicting occurred because multi users share same files. Thus, if we split cache directory into multi sub directories, no conflicting occur and no changing default permission of directories and files required.
As following, each sub cache directory is defined by type of php api handler:
define('CACHE', TMP . 'cache' . DS . php_sapi_name() . DS);
When browser the website, active user is apache. And the sub
directory is cache/apache2handler.
When run a batch, active user is root or logging-in user.
And the sub directory is cache/cli.
Other side, current user account can be used to name sub directory. Check at
How to check what user php is running as?