Linux – Prevent changing ownership of a file

chmodchownlinuxownerpermissions

I have file with 777 permission. How can I prevent changing ownership of that file by others? ie I need to prevent chown x:y myfile

myfile is actually a log file written from web. it's ownership is www-data.

Best Answer

Only root can change ownership of the file, so you don't have to worry about that.

You do however have to worry about the permissions. A logfile shouldn't be world writable. You don't want everybody to write the file in arbitrary ways. You only want them to append to the file. You cannot do that with conventional unix permissions, but you have other options.

You may be able to achieve this with ACLs. Otherwise this question has information about making a file append-only for everyone and not just others.

An even better approach may be to do your logging through syslog.

Related Solutions

Apache “No Permission” – 403 forbidden

A number of things could be going wrong.

First thing is to look in your error log (maybe in /var/log/apache2/error_log) and look for the Apache reason for failing to serve this location.

Next is to check your directory permissions up to your document root. E.g. if your document root is in /var/www/htdocs then you need to ensure the Apache user has +x permissions on the directories /, /var, /var/www, and /var/www/htdocs.

Test whether you can access these directories yourself:


su www-data
ls /
ls /var
ls /var/www
ls /var/www/htdocs
exit

Are you sure www-data is the right user? Try typing ps uax and look for the user the Apache process is running as.

Otherwise it could be Apache deciding not to serve the files for some other reason.

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Best Answer

Related Solutions

Apache “No Permission” – 403 forbidden

Linux – How to Set Up Permissions for the WWW Folder

Related Topic