How to correctly set acl for www-data files?












0














I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















0














I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34














0












0








0







I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question













I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions




linux file-permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 27 '18 at 8:12









nowox

77111528




77111528












  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34


















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47




Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47












This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48




This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48












The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34




The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34










2 Answers
2






active

oldest

votes


















0














If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



setfacl may need to be installed, depending on your distribution.






share|improve this answer





























    0














    I believe you need to use X and not x for the executable.



    Step 1: Create Backup



    First make a backup incase anything goes wrong someday:



    mkdir ~/storage-changes
    
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


    (Incase) To Restore



    sudo setfacl --restore=~/storage-changes/default_www_facl


    Apply ACL



    Next, apply to a group:



    # -R is recursive
    
# -m is modify
    
# -d applies to default ACL
    

    
sudo chgrp -R www-data /var/www
    
sudo setfacl -Rd g:www-data:rwX /var/www
    
sudo setfacl -Rdm g:www-data:rwX /var/www
    

    
ls -lta /var
    
sudo getfacl /var/www


    The + at the end of the file/dir listing only means it has additional ACLs.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



      For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



      setfacl may need to be installed, depending on your distribution.






      share|improve this answer


























        0














        If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



        For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



        setfacl may need to be installed, depending on your distribution.






        share|improve this answer
























          0












          0








          0






          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.






          share|improve this answer












          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 27 '18 at 14:55









          user2313067

          2,0251911




          2,0251911

























              0














              I believe you need to use X and not x for the executable.



              Step 1: Create Backup



              First make a backup incase anything goes wrong someday:



              mkdir ~/storage-changes
              
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


              (Incase) To Restore



              sudo setfacl --restore=~/storage-changes/default_www_facl


              Apply ACL



              Next, apply to a group:



              # -R is recursive
              
# -m is modify
              
# -d applies to default ACL
              

              
sudo chgrp -R www-data /var/www
              
sudo setfacl -Rd g:www-data:rwX /var/www
              
sudo setfacl -Rdm g:www-data:rwX /var/www
              

              
ls -lta /var
              
sudo getfacl /var/www


              The + at the end of the file/dir listing only means it has additional ACLs.






              share|improve this answer


























                0














                I believe you need to use X and not x for the executable.



                Step 1: Create Backup



                First make a backup incase anything goes wrong someday:



                mkdir ~/storage-changes
                
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                (Incase) To Restore



                sudo setfacl --restore=~/storage-changes/default_www_facl


                Apply ACL



                Next, apply to a group:



                # -R is recursive
                
# -m is modify
                
# -d applies to default ACL
                

                
sudo chgrp -R www-data /var/www
                
sudo setfacl -Rd g:www-data:rwX /var/www
                
sudo setfacl -Rdm g:www-data:rwX /var/www
                

                
ls -lta /var
                
sudo getfacl /var/www


                The + at the end of the file/dir listing only means it has additional ACLs.






                share|improve this answer
























                  0












                  0








                  0






                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  
# -m is modify
                  
# -d applies to default ACL
                  

                  
sudo chgrp -R www-data /var/www
                  
sudo setfacl -Rd g:www-data:rwX /var/www
                  
sudo setfacl -Rdm g:www-data:rwX /var/www
                  

                  
ls -lta /var
                  
sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.






                  share|improve this answer












                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  
# -m is modify
                  
# -d applies to default ACL
                  

                  
sudo chgrp -R www-data /var/www
                  
sudo setfacl -Rd g:www-data:rwX /var/www
                  
sudo setfacl -Rdm g:www-data:rwX /var/www
                  

                  
ls -lta /var
                  
sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 12 '18 at 16:12









                  JREAM

                  164111




                  164111






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                      Image
                      .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 total noob sorry any help greatly appreciated. I keep getting this "Incorrect syntax near the keyword 'ON'." heres my codes code one CREATE TABLE supplier ( supplierID INT PRIMARY KEY, ISBN INT FOREIGN KEY REFERENCES book(ISBN), price DECIMAL (5,2), ON UPDATE CASCADE, ON DELETE CASCADE, ); code two CREATE TABLE orders ( orderID INT PRIMARY KEY, customerID INT FOREIGN KEY REFERENCES customer(customerID), ISBN INT FOREIGN KEY REFERENCES book(ISBN), orderDate date, ON UPDATE CASCADE, ON DELETE CASCADE, ); Ive run out of stuff to try other than dumbing it down to uselessness.
                      Read more

                      Alcedinidae

                      Image
                      Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
                      Read more

                      RAC Tourist Trophy

                      Image
                      Pour les articles homonymes, voir Tourist Trophy. Le RAC Tourist Trophy est une course automobile organisée par le Royal Automobile Club d'Angleterre. Créée en 1905, cette course a fait partie des épreuves comptant pour le championnat du monde des voitures de sport entre 1953 et 1955, en 1958 et 1959, et entre 1962 et 1965. Après une interruption de 17 ans (l'épreuve s'arrête après 1988), le RAC Tourist Trophy reprend en 2005 sous l'égide de la FIA GT. Palmarès | John Napier sur Arrol-Johnston, vainqueur du premier RAC Tourist Trophy, en 1905. L'honorable C.S. Rolls, vainqueur du RAC Tourist Trophy 1906. Ernest Curtis, sur Rover 20 hp, vainqueur du RAC Tourist Trophy 1907. William Watson, vainqueur du RAC Tourist Trophy 1908. Kenelm Lee Guinness, vainqueur du RAC Tourist Trophy 1914 sur Sunbeam. Départ du RAC Tourist Trophy 1928. Louis Gérard, vainqueur du RAC Tourist Trophy 1938 sur Delage. Année Circuit Vainqueur
                      Read more