0

Not sure if this is possible but is there a way to grant the Apache user same level of permissions (ownership) as root only on specific folder(s).

Why I need this: We have a CentOS 6.2 server with apache setup as our development server, and we use only the root user because the server is an internal server and doesn't have any outside access, every day we upload quite a lot of files and setup new folder, but because we are using the root user the ownership of the files belongs to the root user and for the apache user to create files (upload images, create log files and create folders) we need to grant 777 permissions.

Of course we can go in and update the ownership of all the files to Apache but not everyone in the team knows how to do this, so if it would be possible to grant the apache user root permissions on the "/var/www/*" folder and what's inside it would solve all of the issues.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Alex
  • 101
  • 2
    Why not look for the solution at the source of the problem? Install with correct permissions (preferably as unprivileged user). (Btw., there is no such thing as "permissions as user X on directory Y". Oversimplified, either you are user X or not. (And please don't run apache as root)) – Jo So Jul 03 '12 at 15:31
  • 2
    Development servers require a sane security baseline just as well as a machine in full production. Start trying to understand how the Linux security model works, it really isn't that difficult and gives you plenty options to implement your requirements in a sane way. Security must be part of your architecture and design not something you try to apply afterwards. – jippie Jul 03 '12 at 20:41
  • possible duplicate of Permissions: What's the right way to give Apache more user permissions? – Gilles 'SO- stop being evil' Jul 03 '12 at 22:45
  • Use ACLs. Maybe How to assign correct permissions to both webserver and svn? is a better duplicate. – Gilles 'SO- stop being evil' Jul 03 '12 at 22:47
  • @jippie I agree with you that working with the correct security model should be the best way but the development environment that we work in doesn't have that many developers that can and know manage the files/permissions correctly. – Alex Jul 04 '12 at 10:44
  • @JoSo I agree with setting up Apache with the correct permissions from the start, but currently we do not have the time to do this. I will probably create a simple script that can be run as a shortcut that would let a user just run a command, put in the project name and the script would run the ownership change on all the files in that project. Thanks for your input guys! – Alex Jul 04 '12 at 10:44
  • 2
    Teach them, it isn't rocket science. As I mentioned before: Security must be part of your architecture and design not something you try to apply afterwards. – jippie Jul 04 '12 at 11:16

1 Answers1

2

Sounds like you could use some help from umask. Setting the umask of a folder, etc. will default newly created files to that mode, like 777.

To set a umask of 777 for the apache process (CentOS/RHEL specific instructions):

echo "umask 777" >> /etc/sysconfig/httpd
service httpd restart
Tim
  • 6,141
  • 1
    Wrong solution to the problem. Why not embrace the security infrastructure of the system? It's that simple. – Jo So Jul 03 '12 at 15:33
  • @JoSo OP did not ask for answers that "embrace the security infrastructure". – Tim Jul 03 '12 at 15:35
  • 1
    If your friend wants to shoot himself because he's desperately in love, what weapon would you recommend? – Jo So Jul 03 '12 at 15:57
  • Don't umask it!!! If you do, apache will not have access to sessions any more. If you do it by accident, just coment/delete the added line in /etc/sysconfig/httpd –  Feb 19 '13 at 09:30