The writable files and folders for web applications often require specific user, group and permission masks to persist, even when new files and sub-folders are added by users or the application itself.
For example, permissions might need to be:
File mode
u:rw,g:rw
File owner
g:apache
A GUID Bit can be set on a directory to force new files and folders to have the same group as given to that folder. This can be used to ensure the group apache
is set on all new files and folders created.
Access Control Lists (ACLs) can be configured to make all new files and folders writeable by the group.
The following will make Web Server log files readable and writeable by apache and bob in /var/log/httpd
:
chmod 0775 /var/log/httpd
chown bob:apache /var/log/httpd
The following will make the group persist for newly created files and folders in /var/log/httpd
:
chmod g+s /var/log/httpd
The following will force group read/write permissions on newly create files and folders in /var/log/httpd
:
setfacl -m u::rwx,g::rwx,o::rx /var/log/httpd
setfacl -d --set u::rwx,g::rwx,o::rx /var/log/httpd
Lastly, we need to allow the web server (Apache/Nginx) to write to the log file in /var/log/httpd
. This is another document all in itelf. Check-out this great documentation on generating selinux policies using the audit2allow
command:
Build SELinux Policy Modules - Creating a local policy module
Default facls can only be set on filesystems that support ACLs. When mounting a new filesystem you need to specify that you want ACL support. If you are having trouble setting default facls, take a look at the filesystem mounts to ensure that ACL support is turned on.
You can check if your filesystems supports ACL as part of the default mount options by using the tune2fs
command. Assuming you've mounted a disk /dev/xvdf
into /opt/data
you would run:
mount | grep /dev/xvdf
/dev/xvdf on /opt/projects type ext4 (rw,_netdev)
grep '/dev/xvdf' /etc/fstab
/dev/xvdf /opt/data ext4 defaults,nofail 0 2
The above output shows no acl support enabled. You can check what options are part of the 'defaults' for /dev/xvdf
using the command:
tune2fs -l /dev/xvdf | grep 'mount options'
Default mount options: (none)
The output above shows that acl is not part of the Default mount options for /dev/xvdf
. If your filesystem does not have ACL as a default mount option, edit the fstab mount options using your favourite text editor (ie. vi, vim or nano).
vi /etc/fstab
Add acl to the mount options so they look something like this:
/dev/xvdf /opt/data ext4 defaults,acl,nofail 0 2
Then remount the disk into the filesystem with the new options.
mount -o remount /opt/data