Skip to content

Instantly share code, notes, and snippets.

@christopher-hopper

christopher-hopper/persist-file-perms.md

Last active October 12, 2016 05:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save christopher-hopper/f65a375f055e930e62ad to your computer and use it in GitHub Desktop.
Save christopher-hopper/f65a375f055e930e62ad to your computer and use it in GitHub Desktop.
Download ZIP
How to persist file system permissions for web applications.
Raw
persist-file-perms.md

Persist Filesystem Permissions

The writable files and folders for web applications often require specific user, group and permission masks to persist, even when new files and sub-folders are added by users or the application itself.

For example, permissions might need to be:

File mode

u:rw,g:rw

File owner

g:apache

Configuring Permissions

A GUID Bit can be set on a directory to force new files and folders to have the same group as given to that folder. This can be used to ensure the group apache is set on all new files and folders created.

Access Control Lists (ACLs) can be configured to make all new files and folders writeable by the group.

Directory Permissions

The following will make Web Server log files readable and writeable by apache and bob in /var/log/httpd:

chmod 0775 /var/log/httpd
chown bob:apache /var/log/httpd

Persist Group

The following will make the group persist for newly created files and folders in /var/log/httpd:

chmod g+s /var/log/httpd

File Access Control List (ACL)

The following will force group read/write permissions on newly create files and folders in /var/log/httpd:

setfacl -m u::rwx,g::rwx,o::rx /var/log/httpd
setfacl -d --set u::rwx,g::rwx,o::rx /var/log/httpd

SELinux Policy

Lastly, we need to allow the web server (Apache/Nginx) to write to the log file in /var/log/httpd. This is another document all in itelf. Check-out this great documentation on generating selinux policies using the audit2allow command:

Build SELinux Policy Modules - Creating a local policy module

Troubleshooting

Default facls can only be set on filesystems that support ACLs. When mounting a new filesystem you need to specify that you want ACL support. If you are having trouble setting default facls, take a look at the filesystem mounts to ensure that ACL support is turned on.

You can check if your filesystems supports ACL as part of the default mount options by using the tune2fs command. Assuming you've mounted a disk /dev/xvdf into /opt/data you would run:

mount | grep /dev/xvdf
/dev/xvdf on /opt/projects type ext4 (rw,_netdev)

grep '/dev/xvdf' /etc/fstab
/dev/xvdf               /opt/data           ext4    defaults,nofail 0 2

The above output shows no acl support enabled. You can check what options are part of the 'defaults' for /dev/xvdf using the command:

tune2fs -l /dev/xvdf | grep 'mount options'
Default mount options:    (none)

The output above shows that acl is not part of the Default mount options for /dev/xvdf. If your filesystem does not have ACL as a default mount option, edit the fstab mount options using your favourite text editor (ie. vi, vim or nano).

vi /etc/fstab

Add acl to the mount options so they look something like this:

/dev/xvdf               /opt/data           ext4    defaults,acl,nofail 0 2

Then remount the disk into the filesystem with the new options.

mount -o remount /opt/data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment