How to allow easy editing of www-data owned files by a user

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to allow easy editing of www-data owned files by a user

Chris Green
I've been trying to find a good solution to this problem for *years*
but I'm still hitting problems with it.  The current problem is that
syncthing doesn't deal well with directories and files which have
different owners on different systems.

The essential problem is that web files which are manipulated by
apache need to be owned by www-data but I want to be able to edit
these files as well.  In particular I have a wiki where I sometimes
edit the files using the wiki (ownership ends up as www-data) and
sometimes I edit them directly with an editor (ownership ends up as
chris).

Currently I use access control lists (setfacl) to make things so that
both chris and www-data can both manipulate files in the wiki
directory regardless of whether they are owned by chris or www-data
but this isn't a perfect solution as the correct settings don't always
get put on new files.

What I really need is:-

    All the wiki files are owned by 'chris' (the wiki is rooted in my
    home directory and is synchronised across a couple of machines by
    syncthing).

    www-data can read/write/create files in the ~/chris/wiki directory
    but they will always be owned by 'chris'.

Can anyone see a way of implementing this?  ... or any other
reasonable solution?

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: How to allow easy editing of www-data owned files by a user

Peter Flynn
On 12/05/2017 10:26 AM, Chris Green wrote:
> I've been trying to find a good solution to this problem for *years*
> but I'm still hitting problems with it.  The current problem is that
> synching doesn't deal well with directories and files which have
> different owners on different systems.
>
> The essential problem is that web files which are manipulated by
> apache need to be owned by www-data but I want to be able to edit
> these files as well.

This sounds like the setgid bit in the file permissions would be useful.
We use this for web server accounts where the application requires
ownership by the server process (apache aka www-data) to create
subdirectories and files but the site owner needs to be able do the same.

1. Create the user's login account with useradd or however you do it

2. Create the user's top-level web directory (eg in your existing
/var/www/html or wherever your web server's document root is)

3. For convenience, soft link that directory to ~/web in the user's
login directory (usually something like /home/whatever or
/u/users/whatever) so that the user doesn't need to know where the
document root is

4. If you are moving site files over from another server, unzip or detar
or scp them into this new directory

5. Change the ownership of the new directory and everything in it to the
new user's login account, and the group to the group of the web server
process, eg chown -R xyz:apache newdir

6. Change the setgid bit on the new directory (chmod g+s newdir) and all
subdirectories, eg find newdir -type d -exec chmod g+s {} \;

I'm not sure if this addresses the problem of retaining web server
process ownership of files after editing by the site owner. I think that
may be a function of your editor. I use Emacs, and it seems to honour this.

setgid can be a security risk if the owning process is running with
elevated permissions, but in the scenario described above, all it does
is ensure that any directories created by Apache *or* the site owner
will preserve their owner:group ownership.

///Peter

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: How to allow easy editing of www-data owned files by a user

Chris Green
On Tue, Dec 05, 2017 at 10:05:42PM +0000, Peter Flynn wrote:

> On 12/05/2017 10:26 AM, Chris Green wrote:
> > I've been trying to find a good solution to this problem for *years*
> > but I'm still hitting problems with it.  The current problem is that
> > synching doesn't deal well with directories and files which have
> > different owners on different systems.
> >
> > The essential problem is that web files which are manipulated by
> > apache need to be owned by www-data but I want to be able to edit
> > these files as well.
>
> This sounds like the setgid bit in the file permissions would be useful. We
> use this for web server accounts where the application requires ownership by
> the server process (apache aka www-data) to create subdirectories and files
> but the site owner needs to be able do the same.
>
I did originally set things up this way and it helps but it's not
perfect.  You still end up with files owned by www-data as files get
created by apache2 when using the wiki as a wiki and then the
non-owner can't do *some* things (e.g. change permissions).


I have a directory 'wiki' in my home directory which is the root of
the whole DokuWiki installation.  There is a link from /srv to
/home/chris/wiki so that apache2 serves the wiki on the web.

Much of the time I edit the wiki files directly by going into ~/wiki
and editing the relevant file - DokuWiki uses ordinary text files with
a simple mark up so this is very easy to do and the files are quite
readable as text.  Thus most of the time files are owned by 'chris'.

Sometimes though I edit files through the wiki (e.g. if I'm doing it
from someone else's computer, or if it's a very small change) and in
this case some files will get created with www-data ownership.

I run syncthing to synchronise the wiki between my desktop, my laptop
and a virtual server on Gandi hosting.

It was a recent problem with syncthing that made me think I had a
problem with chris/www-data ownership conflicting but having now
cleared that (fairly minor) problem I don't think it was actually
caused by mixed ownership.

My current solution to the mixed ownership issue which does seem to
actually work, uses ACLs.  What you do is set permissions as
follows:-

    cd /home/chris
    #
    #
    # Set so users chris and www-data can do anything everywhere
    #
    setfacl -R -m u:chris:rwx wiki
    setfacl -R -m u:www-data:rwx wiki
    #
    #
    # Set so new files and directories have the same permissions
    #
    setfacl -R -d -m u:chris:rwx wiki
    setfacl -R -d -m u:www-data:rwx wiki

As I say I thought this *wasn't* working, hence my original question,
but I now think that it is actually working OK and that the syncthing
problem was caused by somthing else (probably changes on two systems
done close together timewise).

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: How to allow easy editing of www-data owned files by a user

Xen
In reply to this post by Chris Green
On Tue, 5 Dec 2017, Chris Green wrote:

>    All the wiki files are owned by 'chris' (the wiki is rooted in my
>    home directory and is synchronised across a couple of machines by
>    syncthing).
>
>    www-data can read/write/create files in the ~/chris/wiki directory
>    but they will always be owned by 'chris'.

I am really happy to see you post this because I have the exact same use
case.

> Can anyone see a way of implementing this?  ... or any other
> reasonable solution?

I haven't read the other replies yet but your user becomes part  of
www-data and all of the files get www-data as group.

Your wiki needs to create all files as g+w.

It can't create them as chris, but you will need to run a service that
will chown them to your user.

I really have a script somewhere that doesn't work very well atm that
creates automatic reports by mail on what it has changed as well.

So it's not usable now, but a simple cron job,

that will run chown -R chris.www-data ~/wiki/ (basically) will of course
do the trick.

You will just be running this script every 10 minutes :-/.

More sophisticated will do:

   find ! -owner chris ! -group www-data -exec chown chris.www-data "{}"
";"

or something similar...

and

   find -type d ! -perms 0771 -exec chmod 751 "{}" ";"
   find -type f ! -perms 0660 -exec chmod 660 "{}" ";"

not sure if find syntax is correct.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: How to allow easy editing of www-data owned files by a user

Xen
In reply to this post by Chris Green
On Wed, 6 Dec 2017, Chris Green wrote:

> I have a directory 'wiki' in my home directory which is the root of
> the whole DokuWiki installation.  There is a link from /srv to
> /home/chris/wiki so that apache2 serves the wiki on the web.

Also dokuwiki user :p.

>    # Set so users chris and www-data can do anything everywhere
>    #
>    setfacl -R -m u:chris:rwx wiki
>    setfacl -R -m u:www-data:rwx wiki
>    #
>    #
>    # Set so new files and directories have the same permissions
>    #
>    setfacl -R -d -m u:chris:rwx wiki
>    setfacl -R -d -m u:www-data:rwx wiki

So you keep mixed ownership but full permissions for everyone and the mods
are auto.

So you don't need any chmod script but you could still do a find & chown,

But did you know that in the past, user homes were always created g+s?

You can find traces of it in /etc/default/skel or similar.

This thing really needs a better default solution though, I mean something
well-developed.

The use case is pretty universal and trying to solve all of the
applications would be undoable.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users