How to correctly set acl for www-data files?












0














I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















0














I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question






















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34














0












0








0







I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions







share|improve this question













I have web files stored on my server. Currently only the root has a full access: 



drwxr-xr-x  6 root www-data  directory

-rw-r--r--  1 root www-data  file.php


The problem is that the developers wants to use their own account su - myuser to access and modify these files.



Unfortunately, the only solution I have found is to add these users to www-data group and make the php files writable by www-data which is ugly.



What alternative do I have?






linux file-permissions




linux file-permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 27 '18 at 8:12









nowox

77111528




77111528












  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34


















  • Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
    – DavidPostill
    Jun 27 '18 at 8:47










  • This is rather a development server than a production server, but the files get their permissions from the Git repository.
    – nowox
    Jun 27 '18 at 8:48










  • The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
    – xenoid
    Jun 27 '18 at 11:34
















Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47




Why are the developers modifying files on a production server? You should have at least a development server and maybe a staging server as well.
– DavidPostill
Jun 27 '18 at 8:47












This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48




This is rather a development server than a production server, but the files get their permissions from the Git repository.
– nowox
Jun 27 '18 at 8:48












The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34




The other solution (of a dev server) is to put the files in the same groups as developers, with read-access by the server. Unless the server needs write access to its own files but this is even more ugly...
– xenoid
Jun 27 '18 at 11:34










2 Answers
2






active

oldest

votes


















0














If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



setfacl may need to be installed, depending on your distribution.






share|improve this answer





























    0














    I believe you need to use X and not x for the executable.



    Step 1: Create Backup



    First make a backup incase anything goes wrong someday:



    mkdir ~/storage-changes
    
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


    (Incase) To Restore



    sudo setfacl --restore=~/storage-changes/default_www_facl


    Apply ACL



    Next, apply to a group:



    # -R is recursive
    
# -m is modify
    
# -d applies to default ACL
    

    
sudo chgrp -R www-data /var/www
    
sudo setfacl -Rd g:www-data:rwX /var/www
    
sudo setfacl -Rdm g:www-data:rwX /var/www
    

    
ls -lta /var
    
sudo getfacl /var/www


    The + at the end of the file/dir listing only means it has additional ACLs.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



      For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



      setfacl may need to be installed, depending on your distribution.






      share|improve this answer


























        0














        If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



        For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



        setfacl may need to be installed, depending on your distribution.






        share|improve this answer
























          0












          0








          0






          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.






          share|improve this answer












          If your Linux server isn't too old, and you are on a standard filesystem for Linux, you can use access control lists to give permissions to other users.



          For example, the following command will give read and write permissions to the myuser user on file: setfacl -m user:myuser:rw file



          setfacl may need to be installed, depending on your distribution.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 27 '18 at 14:55









          user2313067

          2,0251911




          2,0251911

























              0














              I believe you need to use X and not x for the executable.



              Step 1: Create Backup



              First make a backup incase anything goes wrong someday:



              mkdir ~/storage-changes
              
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


              (Incase) To Restore



              sudo setfacl --restore=~/storage-changes/default_www_facl


              Apply ACL



              Next, apply to a group:



              # -R is recursive
              
# -m is modify
              
# -d applies to default ACL
              

              
sudo chgrp -R www-data /var/www
              
sudo setfacl -Rd g:www-data:rwX /var/www
              
sudo setfacl -Rdm g:www-data:rwX /var/www
              

              
ls -lta /var
              
sudo getfacl /var/www


              The + at the end of the file/dir listing only means it has additional ACLs.






              share|improve this answer


























                0














                I believe you need to use X and not x for the executable.



                Step 1: Create Backup



                First make a backup incase anything goes wrong someday:



                mkdir ~/storage-changes
                
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                (Incase) To Restore



                sudo setfacl --restore=~/storage-changes/default_www_facl


                Apply ACL



                Next, apply to a group:



                # -R is recursive
                
# -m is modify
                
# -d applies to default ACL
                

                
sudo chgrp -R www-data /var/www
                
sudo setfacl -Rd g:www-data:rwX /var/www
                
sudo setfacl -Rdm g:www-data:rwX /var/www
                

                
ls -lta /var
                
sudo getfacl /var/www


                The + at the end of the file/dir listing only means it has additional ACLs.






                share|improve this answer
























                  0












                  0








                  0






                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  
# -m is modify
                  
# -d applies to default ACL
                  

                  
sudo chgrp -R www-data /var/www
                  
sudo setfacl -Rd g:www-data:rwX /var/www
                  
sudo setfacl -Rdm g:www-data:rwX /var/www
                  

                  
ls -lta /var
                  
sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.






                  share|improve this answer












                  I believe you need to use X and not x for the executable.



                  Step 1: Create Backup



                  First make a backup incase anything goes wrong someday:



                  mkdir ~/storage-changes
                  
sudo getfacl -R /var/www > ~/storage-changes/default_www_facl


                  (Incase) To Restore



                  sudo setfacl --restore=~/storage-changes/default_www_facl


                  Apply ACL



                  Next, apply to a group:



                  # -R is recursive
                  
# -m is modify
                  
# -d applies to default ACL
                  

                  
sudo chgrp -R www-data /var/www
                  
sudo setfacl -Rd g:www-data:rwX /var/www
                  
sudo setfacl -Rdm g:www-data:rwX /var/www
                  

                  
ls -lta /var
                  
sudo getfacl /var/www


                  The + at the end of the file/dir listing only means it has additional ACLs.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 12 '18 at 16:12









                  JREAM

                  164111




                  164111






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1334570%2fhow-to-correctly-set-acl-for-www-data-files%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      If I really need a card on my start hand, how many mulligans make sense? [duplicate]

                      Image
                      5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
                      Read more

                      Alcedinidae

                      Image
                      Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
                      Read more

                      Can an atomic nucleus contain both particles and antiparticles? [duplicate]

                      Image
                      9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
                      Read more