You may have noticed that all permissions for files/folders have three categories. "owner", "group", and "everyone". These correspond to the 3 digits that you set for permissions, such as "750", which will give the owner the ability to do anything, users in the group to be able to read and execute the file, but not change it, and everyone else wont be able to do anything. Groups are a nice way of allowing certain users to be able to have limited access to your files, without giving everyone that same access. This is particularly relevant in the world of shared hosting. You need the apache process (which runs as www-data) to be able to access your files, but dont want to give this access to anyone else.
Add A User To A Group
sudo usermod -a -G [group] [user] # alternative method sudo adduser [user] [group]
For example, you usually want to allow www-data to access your files so add them to your group (not the other way around). If you were to add users to the www-data group, then all those users have the group access to each others files!
Incidentally, the permission level you probably want to set for your files on a webserver is 640 (750 for directories that need execute), which gives the owner read/write access, the group only read, and everyone else no access. The default permission level when creating files on ubuntu is 664, which gives everyone the ability to read your files!). If your lazy (like me), you can use the following command (but don't use if you don't want to give execute access, especially if you have an upload directory)
Permission Lookup Table
6 = rw - read/write
5 = rx - read/execute
3 = r - read
2 = w - write
1 = x - execute
0 = --- no access
Remove Public (Other) Permissions
The following snippet configures all files within the specified directory (and the directory itself) such that users who are not part of the group or the owner have absolutely no permission to do anything.
chmod -R o-rwx [directory here]
Remove user from Group
sudo deluser [user] [group]
No comments:
Post a Comment