Roby Sadeli wrote:
Hi there.I have been using FreeBSD for some time but my skill is getting really rusty. I install nginx via the ports collection and it works just fine. The data files (html) is located in /usr/local/www/ and the directory permission is as follows: drwxrwxr-x 5 root wheel 512 Dec 20 15:54 www and I changed the user/group permission like this: # chown -R www:www /usr/local/www # chmod -R 775 /usr/local/www My id is user and looks like this: # id user uid=1001(user) gid=1001(user) groups=1001(user),0(wheel),80(www) I am trying to create a file in the /usr/local/www and I can't. Is there something wrong I did here?
Well, yes. But not really anything to do with your principle aim of being able to edit your web content as a mortal user. You've opened up a bit of a security hole by your changes. It's a common misconception that because the www directory is somehow the territory of the web server, then the UID the web server runs as should own the files and directories under it. This is actually a pretty bad idea, because it means that anyone suborning your web server can then deface your web content. This sort of attack is generally through a cgi script or through PHP or other applications run with the credentials of your web server, but in principle it can apply to a web server daemon serving up nothing by static content if the daemon has buffer overflow or similar vulnerabilities. If the web server needs to handle uploaded files then this should be set up to go to a distinct writable area preferably somewhere completely separate from /usr/local/www. Or in other words, to achieve the aim you want, do this: * Create a new group for people that are allowed to edit the web content to belong to. eg: # pw group add -n wwwdev * Give that group ownership of the files under the web-root:# chown -R root:webdev /usr/local/www
* Make files and directories under the web-root group writeable,but not world writeable:# chmod -R g+w,o-w /usr/local/www
* Add your own UID as a member of the wwwdev group: # pw group mod -n wwwdev -m user * Log out and log back in again to update the group membership in your active session. [Note: this doesn't happen automatically just by modifying/etc/groups -- you need to start a new session]
* Possibly adjust the umask setting in your shell initialization files to umask=002 -- this means by default files you create will be *group* writeable. note: due to BSD filesystem semantics files will inherit the group ownership from the directory they are created in. On some other Unixoid OSes you would need to have the directories SGID to achieve the same effect. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature