From owner-freebsd-questions Wed Mar 25 02:29:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15378 for freebsd-questions-outgoing; Wed, 25 Mar 1998 02:29:45 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from tyree.iii.co.uk (tyree.iii.co.uk [195.89.149.230]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15372 for ; Wed, 25 Mar 1998 02:29:37 -0800 (PST) (envelope-from nik@iii.co.uk) From: nik@iii.co.uk Received: from carrig.strand.iii.co.uk (carrig.strand.iii.co.uk [192.168.7.25]) by tyree.iii.co.uk (8.8.8/8.8.8) with ESMTP id KAA20051; Wed, 25 Mar 1998 10:29:12 GMT Received: (from nik@localhost) by carrig.strand.iii.co.uk (8.8.8/8.8.7) id KAA03378; Wed, 25 Mar 1998 10:29:07 GMT Message-ID: <19980325102906.51409@iii.co.uk> Date: Wed, 25 Mar 1998 10:29:06 +0000 To: ken@mui.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: chown vs chmod References: <199803242153.LAA12275@rocksalt.mui.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.85e In-Reply-To: <199803242153.LAA12275@rocksalt.mui.net>; from ken@mui.net on Tue, Mar 24, 1998 at 11:52:19AM +0000 Organization: interactive investor Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Mar 24, 1998 at 11:52:19AM +0000, ken@mui.net wrote: > I sort of understand it, finally but haven't the faintest idea of > what's good and what's not. For instance, I need to be able to > maintain the web pages and stuff. There are basically two approaches you can go with: 1. Create a new user, called 'www' (or 'web', or whatever you want). This user 'owns' the web site, and all the files on the site. This works pretty well if you've only got one person working on a site, and you don't mind having to 'su' to that user each time you want to work on the site. 2. Create a new group, called 'www' (or 'web', or whatever). Put all the accounts you want to be able to make changes to the site in this group. Make sure that the top level directory of your web filesystem is 'group owned' by the 'www' group, and has the mode 4775. This will cause any files created in this directory to be *group* owned by the group ownership of the directory ('www'). Everyone that then works in this directory needs to make sure that their 'umask' is set to 002, so that files are created with 'group write' permissions. This works pretty well regardless of how many people are working on the site, *assuming* that everyone is allowed to alter everything. If that's not the case, you either need to create multiple groups, one for each 'group' of files that people are allowed to change, and make sure that everyone's in the right group. Or (and this is much easier) you can tell people what they're allowed to change, and threaten them with a big stick if they change stuff that they're not supposed to :-) Here's a very quick example of option 2. '#' means do this as root, '%' means do this as a regular user. I'm doing this in a temporary directory, /usr/tmp, you'll probably want to set up something like /usr/local/www. [step] # vi /etc/group Add a line like "www:*:100:" and add all the usernames you want to be able to use this. You may need to change the 100 to some other number if it's already taken on your system. "man 5 group" for information about the format of this file. [step] # cd /usr/tmp # mkdir www # ls -l total 2 drwxr-xr-x 2 root wheel 512 Mar 25 10:07 www/ Notice the permissions on the 'www' directory. Now change those permissions and ownerships. [step] # chgrp www www # ls -l total 2 drwxr-xr-x 2 root www 512 Mar 25 10:07 www/ that's changed the group ownerships, so the directory is now group owned by the www group. [step] # chmod 4775 www # ls -l total 2 drwsrwxr-x 2 root www 512 Mar 25 10:07 www/ The directory can now be written to by anyone in the 'www' group, and any new files created in that directory will be owned by the 'www' group. That's shown by the "s" in "drwsrwxr-x". [step] Now, become a regular user (who is also in the newly created 'www' group). This regular user can now go off and edit files in /usr/tmp/www. The user should first check their umask value ("man umask" for more info) % umask 22 Oops, that's too restrictive, since files will *not* be created with the group 'write' bit set. So change the umask to allow this % umask 002 You might want to get your users to put this in their .profile/.cshrc or other shell startup scripts (or you can edit the ones in /etc to set this for everyone -- read my caveat at the end though). Now go off and create a file in /usr/tmp/www % touch foo.html % ls -l total 0 -rw-rw-r-- 1 nik www 0 Mar 25 10:19 foo.html As you can see, the file is owned by the user (in this case, 'nik'), group owned by the 'www' group, and anyone else in the 'www' group can edit the file. Which is exactly what you want. OK, here's the caveat. When your users set their umask to 002, it means that when they create files in other directories (like, for example, their home directory) anyone else in the same group will be able to edit those files. This is probably a bad thing. A good workaround for this problem is to give each one of your users their own group. The 'adduser' program that comes with FreeBSD defaults (I believe) to doing this. If all the above made sense to you (or if some of it didn't, but you figured it out anyway) would you do me a favour? Rewrite any bits you don't understand, or think could be made easier to understand, then get yourself over to doc@freebsd.org and help join in the FreeBSD Documentation Project. It's fun, free, and you get to do cool things with SGML. OK, perhaps that last one isn't much of an incentive. Either way, if you could take the time to reword any of the above that needs it, pretty it up and so on, it'd probably make a good addition to the FreeBSD tutorials. Hope that's useful. N -- Work: nik@iii.co.uk | FreeBSD + Perl + Apache Rest: nik@nothing-going-on.demon.co.uk | Remind me again why we need Play: nik@freebsd.org | Microsoft? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message