Permissions on htdocs (Solved)

BrummieJim · l33t Joined: 22 Jul 2005 Posts: 683

HI,
I'm trying to run nginx and be able to save files to a directory /var/log/nginx/htdocs, if a user is a member of the nginx group. I've added my normal user to nginx group using "usermod -a -G nginx ja" and checked this with a grep of the /etc/group file. I've chmod 770 /var/log/nginx, mkdir /var/log/nginx/htdocs, chmod 770 /var/log/nginx/htdocs, chown nginx:nginx /var/log/nginx/htdocs but I still can't get access as a normal user. I presume this is due to the fact that /var/ and /var/log are owned by root.

Presumably people don't publish as root, so how do I workround this problem, or is is better to create something like /web/nginx .... so that all the permissions are correct.

Thanks,
James

miket · Posted: Thu Jul 03, 2014 3:34 am Post subject:

My, there are several things.

First, did you remember that you won't see a change in your group memberships until you log in the next time?

Second, it's really typical to leave directories like httpd document roots at least world-readable. You ought to think of a using a permission of 0775 rather than 0770 for those directories.

Third, while I've never used nginx and don't know anything about its setup, there's a lot I can tell. This is the most salient thing: /var/log is for *log* files. There is certainly a /var/log/nginx directory, but that should be for the server's logs. The ebuild sets up restrictive permissions for it.

When it comes to where the documents go, the first guess is to go where most packages go to store variable content: in directories under /var/lib/. (Take a look at your /var/lib/ and notice all the directories thar are named for installed packages.) The ebuild does set up a /var/lib/nginx/, but that's probably not the one to use. What you have is a web server, and the normal practice for them is a bit different. The ebuild uses the same base directory as what Apache uses: /var/www/. The ebuild goes on to use the same practice as Apache: directories in /var/www/ are virtual-host directories (for a default of localhost/) and the directory under that for documents is htdocs/.

Following the Apache practice is probably what you need. It looks like the ebuild set up the directory for you:

BrummieJim · l33t Joined: 22 Jul 2005 Posts: 683

Thanks, having a bit of dim moment. Realised I'd got the wrong directory and implemented your solution. All good now and it works great.

miket · Posted: Thu Jul 03, 2014 6:01 pm Post subject:

I'm glad that worked. Actually, if I were you, I'd tweak the permissions a bit for greater safety.

These are the two big problems: you, as a user, have membership in a daemon's private group (which is hardly ever a good thing) and the daemon, by having write permission on the files in the document root, has the possiblity of having a script insert something bad into one of your static document files.

The solution would be to set up a new group, say wwwdocs, that would have write permissions on those documents. You would be a member of that group, and nginx would not. Nginx would be able to serve the documents because of their being world-readable.

The permission masks you already set up would be correct, but the ownership would change. This would do it: