How to correctly set acl for www-data files?












0














I have web files stored on my server. Currently only the root has a full access:



drwxr-xr-x  6 root www-data  directory
-rw-r--r-- 1 root www-data file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?










share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















0














I have web files stored on my server. Currently only the root has a full access:



drwxr-xr-x  6 root www-data  directory
-rw-r--r-- 1 root www-data file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?










share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34














0












0








0







I have web files stored on my server. Currently only the root has a full access:



drwxr-xr-x  6 root www-data  directory
-rw-r--r-- 1 root www-data file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?










share|improve this question













I have web files stored on my server. Currently only the root has a full access:



drwxr-xr-x  6 root www-data  directory
-rw-r--r-- 1 root www-data file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?







linux file-permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 27 '18 at 8:12









nowox

77111528




77111528












  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34


















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47




Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47












This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48




This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48












The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34




The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34










2 Answers
2






active

oldest

votes


















0














If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



setfacl may need to be installed, depending on your distribution.






share|improve this answer





























    0














    I believe you need to use X and not x for the executable.



    Step 1: Create Backup



    First make a backup incase anything goes wrong someday:



    mkdir ~/storage-changes
    sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


    (Incase) To Restore



    sudo setfacl --restore=~/storage-changes/default_www_facl 


    Apply ACL



    Next, apply to a group:



    # -R is recursive
    # -m is modify
    # -d applies to default ACL

    sudo chgrp -R www-data /var/www
    sudo setfacl -Rd g:www-data:rwX /var/www
    sudo setfacl -Rdm g:www-data:rwX /var/www

    ls -lta /var
    sudo getfacl /var/www


    The + at the end of the file/dir listing only means it has additional ACLs.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



      For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



      setfacl may need to be installed, depending on your distribution.






      share|improve this answer


























        0














        If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



        For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



        setfacl may need to be installed, depending on your distribution.






        share|improve this answer
























          0












          0








          0






          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.






          share|improve this answer












          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 27 '18 at 14:55









          user2313067

          2,0251911




          2,0251911

























              0














              I believe you need to use X and not x for the executable.



              Step 1: Create Backup



              First make a backup incase anything goes wrong someday:



              mkdir ~/storage-changes
              sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


              (Incase) To Restore



              sudo setfacl --restore=~/storage-changes/default_www_facl 


              Apply ACL



              Next, apply to a group:



              # -R is recursive
              # -m is modify
              # -d applies to default ACL

              sudo chgrp -R www-data /var/www
              sudo setfacl -Rd g:www-data:rwX /var/www
              sudo setfacl -Rdm g:www-data:rwX /var/www

              ls -lta /var
              sudo getfacl /var/www


              The + at the end of the file/dir listing only means it has additional ACLs.






              share|improve this answer


























                0














                I believe you need to use X and not x for the executable.



                Step 1: Create Backup



                First make a backup incase anything goes wrong someday:



                mkdir ~/storage-changes
                sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                (Incase) To Restore



                sudo setfacl --restore=~/storage-changes/default_www_facl 


                Apply ACL



                Next, apply to a group:



                # -R is recursive
                # -m is modify
                # -d applies to default ACL

                sudo chgrp -R www-data /var/www
                sudo setfacl -Rd g:www-data:rwX /var/www
                sudo setfacl -Rdm g:www-data:rwX /var/www

                ls -lta /var
                sudo getfacl /var/www


                The + at the end of the file/dir listing only means it has additional ACLs.






                share|improve this answer
























                  0












                  0








                  0






                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl 


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  # -m is modify
                  # -d applies to default ACL

                  sudo chgrp -R www-data /var/www
                  sudo setfacl -Rd g:www-data:rwX /var/www
                  sudo setfacl -Rdm g:www-data:rwX /var/www

                  ls -lta /var
                  sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.






                  share|improve this answer












                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl 


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  # -m is modify
                  # -d applies to default ACL

                  sudo chgrp -R www-data /var/www
                  sudo setfacl -Rd g:www-data:rwX /var/www
                  sudo setfacl -Rdm g:www-data:rwX /var/www

                  ls -lta /var
                  sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 12 '18 at 16:12









                  JREAM

                  164111




                  164111






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                      Alcedinidae

                      Origin of the phrase “under your belt”?