Linux – Correct Permissions for WWW Data

file-permissionslinuxUbuntuweb

I keep coming back to perfect web-based permissions, I've done it a few ways. This post isn't as complex as it is a little long, I wanted to provide some samples.

I've searched far and wide but I am wondering if there is a de-facto standard. Thank you for your time.

Q: Can anyone please advise me the best approach according to the basic Permission Goals below?

  • Permission Goal:
    • Prevent 0777 mode
    • Default group www-data is sticky
    • Default user as myself is stick (If possible, I don't think a default exists in setfacl)
  • Cliff Notes
    • Using: Ubuntu 16.04 and 16.10 (Desktop Versions at the Moment)

$ chmod g+rws

I have set this prior, I do wonder why this highlights my file an orange color, it concerns me. The goal was to keep current and new files as www-data.

sudo chgrp -R www-data /var/www
sudo chmod -R g+rws /var/www  # <-- s or S?

The above works for the most part but I have read it's bad to use, why? So I tried setfacl.

$ setfacl

Here I setfacl, the problem is that it will make all current files +x for the user, I don't want that.

# For Current Files | User/Group
sudo setfacl -Rm u:myself:rwx /var/www
sudo setfacl -Rm g:ww-data:rwx /var/www

# For Future Files | User/Group
sudo setfacl -Rmd u:myself:rwx /var/www
sudo setfacl -Rm g:www-data:rwx /var/www

.bashrc setfacl files/dirs separately

So a crazy idea I had was to make a .bashrc function It's not fully correct yet, but you get the idea.

function facl_file() {
    echo "(+) Set ACL for $USER:www-data rw [Files Only, Persist]"

    # Files cannot have defaults -d permissions
    while IFS= read -r -d $'\0' file; do
        echo "  Setting $file"
        # Default Mode: RW
        mode="rw"

        # If Executable, Add RWX
        if [[ -x "$file" ]]; then
            mode="rwx"
        fi
        sudo setfacl  -m u:$USER:$mode $file
        sudo setfacl  -m g:www-data:$mode $file
    done < <(find $CREATE -type f -print0)
    echo "(+) Done with Files"
}

function facl_dir() {
    echo "(+) Set ACL for $USER:www-data rwx [Directories Only, Persist]"
    while IFS= read -r -d $'\0' dir; do
        echo "  Setting $dir"
        sudo setfacl  -m u:$USER:rwx $dir
        sudo setfacl -dm u:$USER:rwx $dir
        sudo setfacl  -m g:www-data:rwx $dir
        sudo setfacl -dm g:www-data:rwx $dir
    done < <(find $CREATE -type d -print0)
    echo "(+) Done with Directories"
}

The goal of the above was to prevent Directories from losing the +x, and prevent files that were not +x from becoming it.

Any advice would be appreciated if I am going the wrong way about this. I can't seem to find a good "Sticky Standard" that feels right.

Best Answer

I didn't realize this post was still here, so I would answer my own Q. Try using X instead of x. I would do it with a test folder first:

cd ~; mkdir test; touch test/{default,run.sh};chmod +x test/run.sh

# Ensure this fellow is in here!
sudo usermod -aG www-data $USER 

sudo setfacl -R -m g:www-data:rwX ~/test
sudo setfacl -Rd -m g:www-data:rwX ~/test
sudo getfacl ~/test

This will set keep the folder x and run.sh x -- the only change visible is the + at the end as in: -rwxrwxr-x+ - it just means it has addtl `facl set.

Hope this helps.

Related Topic