Permissions

[sepoto]

I just installed Fedora (GUI version) on my laptop. I'm using gedit to save a file to /var/www/html and the system keeps telling me that I don't have permissions to save to that directory. Well that's really annoying! It's my system I own all of it! I added myself to the sudoers file I just copy pasted the entry for root and renamed root to joecamel which is my user name. That did not help! What can I do?

[dulotie]

Did you try changing the permission to the file?

[sepoto]

I ended up doing this:

chmod -r 777 var/

or was it?

chmod 777 -r var/

I can't remember. All I really wanted to do was to give user joecamel rwe access to var/ but I havn't figured out how to do that yet.

[jroa1]

You have to be careful changing permissions like that. I know most Windows users come to Linux thinking that they should have the right to do what ever they want to their computer, and do so with out being prompted for a password. This is one of the reasons that Linux is more secure than Windows and also the reason that they disabled the root login option in Fedora.

What you did with chmod is change all of the permissions for every file in the var directory. Now, anyone on your computer can read, write, and execute every file in that directory. If you want full access to your computer, then chmod -r 777 / will do that for you. But good luck with that and be prepared to post a new discussion in the future asking why your computer is all screwed up.

[sepoto]

Thanks. I was actually hoping someone would post an example of chmod showing me how to grant only the users joecamel and root rwe access to var/ and everyone else nothing. It's not that easy to figure out. I could be reading man pages for days if someone doesn't tell me how to do it.

[JEO]

You can use chown to take ownership of the files, for example:

su -
chown -R joecamel /var/www

then you can reset the permissions to the default using chmod. By default the owner has r/w access.

[SlowJet]

This is not the best way to do this type of file maintainence.
One needs to be aware of the role (or Job) they are performming and then put on the correct HAT(i.e. correct username, correct commands, correct methods)

/home/me/Documents/mywebappfiles

su -
<rootpassword>
cd /var/www/html
mkdir mywebappfiles
cd /home/me/Documents/mywebappfiles
cp -t /var/www/html/mywebappfiles *
cd /var/www/html/mywebappfiles
chown -R apache:apache /mywebappfiles
chmod -R 500 /mywebappfiles
chmod 700 mywebfilethatiswrttento.html

... etc

Now the web app files can only be used by apache user and group in the httpd server (and root of course.)

It's 99% planning and 4.5% methods and .5% commands.

SJ

p. S. read up on selinux setting for cp and mv.

[jpollard]

You did leave out all the labels that have to be set...

For those readonly files and directories:

chcon -R -t httpd_sys_content_t mywebappfiles

For those directories that apache will be writing to:

chcon -R -t httpd_sys_rw_content_t <directory>

And you have to tell SELinux to maintain those labels if the system ever
goes through a relabel:

semanage fcontext -a -t httpd_sys_content_t <mywebappfiles>
semanage fcontext -a -t httpd_sys_rw_content_t <directoryorfiles>

If you are going to put them in your home directory it is just simpler
to enable home directory support.

[SlowJet]

Yes, there may be selinux labeling needed but
chown -R apache:apache mywebappfiles
does this autmagically, I think, in /var/www/html/.
chcon -R -t httpd_sys_content_t mywebappfiles

"If you are going to put them in your home directory it is just simpler
to enable home directory support.

Yes, KISS, but KISS and Secure.
Multiple users means multiple paths from otuside.

And of course, the environment, is it development, testing, user acceptance, or production.

SJ

[jpollard]

You already have multiple paths from outside by changing the ownership
of the files and protection masks in the first place