Skip to content

Instantly share code, notes, and snippets.

@AntoineLemaire

AntoineLemaire/Nginx_webmasters_permission.md

Last active July 19, 2020 06:54
Show Gist options
  • Save AntoineLemaire/19cfc6fe0108038e1ae0894b8d031f8c to your computer and use it in GitHub Desktop.
Save AntoineLemaire/19cfc6fe0108038e1ae0894b8d031f8c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Nginx_webmasters_permission.md

Allow to write in the system folder

from https://github.com/foobar167/articles/blob/master/Ubuntu/07_Website_software.md/#allow-write

Group webmasters

Prepare webmasters group:

# Check 'webmasters' group doen't exist
cat /etc/group | grep webmasters
# Create 'webmasters' group
sudo addgroup webmasters
# Add users to 'webmasters' group
sudo usermod -a -G webmasters username
sudo usermod -a -G webmasters malyshevvalery

# Group assignment changes won't take effect
# until the users log out and back in.

For webmasters group give write permission to directories:

# /etc/systemd/system — to start services automatically
# /etc/nginx — for Nginx
# /etc/letsencrypt — for Certbot

# List ACLs
getfacl /etc/nginx/
getfacl /etc/systemd/system
getfacl /etc/letsencrypt

    getfacl: Removing leading '/' from absolute path names
    # file: etc/systemd/system
    # owner: root
    # group: root
    user::rwx
    group::r-x
    other::r-x

# Add 'webmasters' group to an ACL
sudo setfacl -R -m g:webmasters:rwx /etc/nginx
sudo setfacl -R -m g:webmasters:rwx /etc/systemd/system
sudo setfacl -R -m g:webmasters:rx /etc/letsencrypt

# Check
getfacl /etc/nginx
getfacl /etc/systemd/system
getfacl /etc/letsencrypt

    getfacl: Removing leading '/' from absolute path names
    # file: etc/systemd/system
    # owner: root
    # group: root
    user::rwx
    group::r-x
    group:webmasters:rwx
    mask::rwx
    other::r-x

sudo -u username touch /etc/systemd/system/test.txt  # should work
sudo -u username touch /etc/systemd/test.txt  # Permission denied

Give read permission to files in the directory /var/log/nginx.

# There is read permission to the directory `/var/log/nginx` itself.
# But the owner of files in this directory is `www-data` and the group is `adm`.
ls -hal /var/log/nginx
    total 560K
    drwxr-xr-x  2 root     adm    4.0K Aug  7 00:12 .
    drwxrwxr-x 14 root     syslog 4.0K Aug  7 00:12 ..
    -rw-r-----  1 www-data adm    122K Aug  7 10:15 access.log
    -rw-r-----  1 www-data adm     26K Aug  5 23:58 access.log.2.gz
    -rw-r-----  1 www-data adm     12K Aug  7 10:09 error.log
    -rw-r-----  1 www-data adm     808 Aug  5 10:32 error.log.2.gz

# So add user to the `adm` group to read files in the directory `/var/log/nginx`.
# Add users to `adm` group.
cat /etc/group | grep adm
sudo usermod -a -G adm username
sudo usermod -a -G adm malyshevvalery
cat /etc/group | grep adm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment