Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Permissions on htdocs (Solved)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
BrummieJim
l33t
l33t


Joined: 22 Jul 2005
Posts: 622

PostPosted: Wed Jul 02, 2014 9:35 am    Post subject: Permissions on htdocs (Solved) Reply with quote

HI,
I'm trying to run nginx and be able to save files to a directory /var/log/nginx/htdocs, if a user is a member of the nginx group. I've added my normal user to nginx group using "usermod -a -G nginx ja" and checked this with a grep of the /etc/group file. I've chmod 770 /var/log/nginx, mkdir /var/log/nginx/htdocs, chmod 770 /var/log/nginx/htdocs, chown nginx:nginx /var/log/nginx/htdocs but I still can't get access as a normal user. I presume this is due to the fact that /var/ and /var/log are owned by root.

Presumably people don't publish as root, so how do I workround this problem, or is is better to create something like /web/nginx .... so that all the permissions are correct.

Thanks,
James
_________________
Intel 2.2 Core 2 Duo, 4Gb Ram, 320GB Sata Drive and Nvidia card.


Last edited by BrummieJim on Thu Jul 03, 2014 4:06 pm; edited 1 time in total
Back to top
View user's profile Send private message
miket
Apprentice
Apprentice


Joined: 28 Apr 2007
Posts: 227
Location: Gainesville, FL, USA

PostPosted: Thu Jul 03, 2014 3:34 am    Post subject: Reply with quote

My, there are several things.

First, did you remember that you won't see a change in your group memberships until you log in the next time?

Second, it's really typical to leave directories like httpd document roots at least world-readable. You ought to think of a using a permission of 0775 rather than 0770 for those directories.

Third, while I've never used nginx and don't know anything about its setup, there's a lot I can tell. This is the most salient thing: /var/log is for *log* files. There is certainly a /var/log/nginx directory, but that should be for the server's logs. The ebuild sets up restrictive permissions for it.

When it comes to where the documents go, the first guess is to go where most packages go to store variable content: in directories under /var/lib/. (Take a look at your /var/lib/ and notice all the directories thar are named for installed packages.) The ebuild does set up a /var/lib/nginx/, but that's probably not the one to use. What you have is a web server, and the normal practice for them is a bit different. The ebuild uses the same base directory as what Apache uses: /var/www/. The ebuild goes on to use the same practice as Apache: directories in /var/www/ are virtual-host directories (for a default of localhost/) and the directory under that for documents is htdocs/.

Following the Apache practice is probably what you need. It looks like the ebuild set up the directory for you:
Code:
/var/www/localhost/htdocs/
.

BrummieJim wrote:
I presume this is due to the fact that /var/ and /var/log are owned by root.
No, that doesn't make any difference. You can do
Code:
chmod -R 775 /var/www
chown -R nginx:nginx /var/www
if you want. That would leave the directories group-writable. (Note the recursive mode of chmod and chown with the -R switch; it's helpful. Similarly, if the document-root directories hadn't existed, doing
Code:
mkdir -p /var/www/localhost/htdocs
would do that for you.

By the way, did you see the wiki article on nginx?
Back to top
View user's profile Send private message
BrummieJim
l33t
l33t


Joined: 22 Jul 2005
Posts: 622

PostPosted: Thu Jul 03, 2014 4:05 pm    Post subject: Reply with quote

Thanks, having a bit of dim moment. Realised I'd got the wrong directory and implemented your solution. All good now and it works great.
_________________
Intel 2.2 Core 2 Duo, 4Gb Ram, 320GB Sata Drive and Nvidia card.
Back to top
View user's profile Send private message
miket
Apprentice
Apprentice


Joined: 28 Apr 2007
Posts: 227
Location: Gainesville, FL, USA

PostPosted: Thu Jul 03, 2014 6:01 pm    Post subject: Reply with quote

I'm glad that worked. Actually, if I were you, I'd tweak the permissions a bit for greater safety.

These are the two big problems: you, as a user, have membership in a daemon's private group (which is hardly ever a good thing) and the daemon, by having write permission on the files in the document root, has the possiblity of having a script insert something bad into one of your static document files.

The solution would be to set up a new group, say wwwdocs, that would have write permissions on those documents. You would be a member of that group, and nginx would not. Nginx would be able to serve the documents because of their being world-readable.

The permission masks you already set up would be correct, but the ownership would change. This would do it:
Code:
chown -R root:wwwdocs /var/www


Now you could edit the files because you belong to the wwwdocs group, and errant scripts running under nginx could not clobber them. This should go for scripts, too. Scripts under a cgi-bin directory would run with nginx's permissions, so they'd keep from clobbering things. If you set up a Fast CGI processor (like PHP's FPM), that also should be set up so that it could read scripts because of being world-readable but have no permissions either to write them or to change their permissions masks.

Only for directories where the server should be able to write (such as for uploads) would you change the ownership to nginx.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum