Date: Wed, 25 Mar 1998 10:29:06 +0000 From: nik@iii.co.uk To: ken@mui.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: chown vs chmod Message-ID: <19980325102906.51409@iii.co.uk> In-Reply-To: <199803242153.LAA12275@rocksalt.mui.net>; from ken@mui.net on Tue, Mar 24, 1998 at 11:52:19AM %2B0000 References: <199803242153.LAA12275@rocksalt.mui.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 24, 1998 at 11:52:19AM +0000, ken@mui.net wrote:
> I sort of understand it, finally but haven't the faintest idea of
> what's good and what's not. For instance, I need to be able to
> maintain the web pages and stuff.
There are basically two approaches you can go with:
1. Create a new user, called 'www' (or 'web', or whatever you want).
This user 'owns' the web site, and all the files on the site.
This works pretty well if you've only got one person working on a
site, and you don't mind having to 'su' to that user each time you
want to work on the site.
2. Create a new group, called 'www' (or 'web', or whatever). Put
all the accounts you want to be able to make changes to the site in
this group.
Make sure that the top level directory of your web filesystem is
'group owned' by the 'www' group, and has the mode 4775. This
will cause any files created in this directory to be *group* owned
by the group ownership of the directory ('www').
Everyone that then works in this directory needs to make sure that
their 'umask' is set to 002, so that files are created with 'group
write' permissions.
This works pretty well regardless of how many people are working on
the site, *assuming* that everyone is allowed to alter everything.
If that's not the case, you either need to create multiple groups,
one for each 'group' of files that people are allowed to change, and
make sure that everyone's in the right group.
Or (and this is much easier) you can tell people what they're allowed
to change, and threaten them with a big stick if they change stuff
that they're not supposed to :-)
Here's a very quick example of option 2. '#' means do this as root, '%'
means do this as a regular user. I'm doing this in a temporary directory,
/usr/tmp, you'll probably want to set up something like /usr/local/www.
[step]
# vi /etc/group
Add a line like "www:*:100:" and add all the usernames you want to be able
to use this. You may need to change the 100 to some other number if it's
already taken on your system. "man 5 group" for information about the
format of this file.
[step]
# cd /usr/tmp
# mkdir www
# ls -l
total 2
drwxr-xr-x 2 root wheel 512 Mar 25 10:07 www/
Notice the permissions on the 'www' directory. Now change those permissions
and ownerships.
[step]
# chgrp www www
# ls -l
total 2
drwxr-xr-x 2 root www 512 Mar 25 10:07 www/
that's changed the group ownerships, so the directory is now group owned
by the www group.
[step]
# chmod 4775 www
# ls -l
total 2
drwsrwxr-x 2 root www 512 Mar 25 10:07 www/
The directory can now be written to by anyone in the 'www' group, and any
new files created in that directory will be owned by the 'www' group. That's
shown by the "s" in "drwsrwxr-x".
[step]
Now, become a regular user (who is also in the newly created 'www' group).
This regular user can now go off and edit files in /usr/tmp/www.
The user should first check their umask value ("man umask" for more info)
% umask
22
Oops, that's too restrictive, since files will *not* be created with the
group 'write' bit set. So change the umask to allow this
% umask 002
You might want to get your users to put this in their .profile/.cshrc
or other shell startup scripts (or you can edit the ones in /etc to set
this for everyone -- read my caveat at the end though).
Now go off and create a file in /usr/tmp/www
% touch foo.html
% ls -l
total 0
-rw-rw-r-- 1 nik www 0 Mar 25 10:19 foo.html
As you can see, the file is owned by the user (in this case, 'nik'), group
owned by the 'www' group, and anyone else in the 'www' group can edit the
file. Which is exactly what you want.
OK, here's the caveat. When your users set their umask to 002, it means that
when they create files in other directories (like, for example, their home
directory) anyone else in the same group will be able to edit those files.
This is probably a bad thing.
A good workaround for this problem is to give each one of your users their
own group. The 'adduser' program that comes with FreeBSD defaults (I
believe) to doing this.
If all the above made sense to you (or if some of it didn't, but you figured
it out anyway) would you do me a favour?
Rewrite any bits you don't understand, or think could be made easier to
understand, then get yourself over to doc@freebsd.org and help join in the
FreeBSD Documentation Project. It's fun, free, and you get to do cool things
with SGML.
OK, perhaps that last one isn't much of an incentive. Either way, if you
could take the time to reword any of the above that needs it, pretty it up
and so on, it'd probably make a good addition to the FreeBSD tutorials.
Hope that's useful.
N
--
Work: nik@iii.co.uk | FreeBSD + Perl + Apache
Rest: nik@nothing-going-on.demon.co.uk | Remind me again why we need
Play: nik@freebsd.org | Microsoft?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980325102906.51409>