Skip to main content

Handling Web Server file permission: The Last Guide


If you have to work with a LAMP stack one of the first things you do is setting up permission for your user and web server so that you can deploy files correctly and securely and also ina. way that the server can read and execute them.

This often becomes a headache quickly when the two user groups require specific permission sets on specific files to work securely.

The most popular solution

Almost every StackOverflow answer and suggested method will involve giving developers the same user group access as the webserver. Most commonly it's access to www-data . This however comes with it's own set of baggage.
  • If you have several web applications running side-by-side on your web server, you'll have to juggle a lot more with groups and sub-groups just to prevent Developer A to be able to see and modify Application B.
  • When a developer creates a file, the file is owned by the developer, and might not be readable (nor writable if needed) properly by the webserver process. It can be mitigated by careful ACL access. But often does become a hassle
I recently found out about another alternate way to handle permissions which works fine and doesn't have any of these drawbacks.

Solution: The bindfs way

This way ensures a developer could read and write files of an application with its own unshared user / group, while allowing the webserver to have it's own and developer-unscrewable permissions on the files of the said application.

With bindfs, developers access applications via dedicated filesystem mountpoints (placed in their home dir), acting as file-permission filters, presenting files like they're owned by themselves, whereas the files are really owned by the web server user (like www-data)

How to use

This assumes the user is "rabimba" and "HTML" is your folder with webserver
# Installing bindfs (just the first time)
rabimba@e2e-55-141 $ apt-get update 
rabimba@e2e-55-141 $ apt-get -y install bindfs
# Creating the application mountpoint
rabimba@e2e-55-141 $ mkdir -p /home/rabimba/www/html 
rabimba@e2e-55-141 $ chown -Rf rabimba:rabimba /home/rabimb/html 
rabimba@e2e-55-141 $ chmod -Rf 770 /home/rabimba/html
Then, edit the content of /etc/fstab and add this line
bindfs#/var/www/html /home/rabimba/www/html fuse force-user=rabimba,force-group=rabimba,create-for-user=www-data,create-for-group=www-data,create-with-perms=0770,chgrp-ignore,chown-ignore,chmod-ignore 0 0
Save the file, and proceed with mounting application
rabimba@e2e-55-141 $ mount /home/rabimba/www/html
 Now your happy developers can just work in the desktop HTML folder and everything will be automatically reflected in the webserver folder with no permission conflict anymore. Since they both are owned actually by different user groups.

Comments

Post a Comment

Popular posts from this blog

FirefoxOS, A keyboard and prediction: Story of my first contribution

Returning to my cubical holding a hot cup of coffee and with a head loaded with frustration and panic over a system codebase that I managed to break with no sufficient time to fix it before the next morning.  This was at IBM, New York where I was interning and working on the TJ Watson project. I returned back to my desk, turned on my dual monitors, started reading some blogs and engaging on Mozilla IRC (a new found and pretty short lived hobby). Just a few days before that, FirefoxOS was launched in India in the form of an Intex phone with a $35 price tag. It was making waves all around, because of its hefty price and poor performance . The OS struggle was showing up in the super low cost hardware. I was personally furious about some of the shortcomings, primarily the keyboard which at that time didn’t support prediction in any language other than English and also did not learn new words. Coincidentally, I came upon Dietrich Ayala in the FirefoxOS IRC channel, who...
Read more

April Fool and Google Part 2: A Round Up of ALL of Google’s April Fools Jokes

Ok....this post I think will contain all of the pranks I could find  for today. After my last post here http://rkrants.blogspot.com/2012/04/april-fool-and-google-my-favorite.html Last Time I reported Only a handful of the pranks.. Understandable, as it was only the morning. After that I stumbled upon more of them Which I am gonna round up here. Now staring with the list. The very first one is obviously our favourite Google Maps Quest The above is their official video. In a post in Google Plus they say about it as follows  Today  + Google Maps  announced Google Maps 8-bit for NES. With #8bitmaps , you can do everything you'd normally do in Maps—search for famous landmarks and sites around the world, get directions and even use Street View. Just in time for April Fool's Day, Google has introduced Google Maps Quest, a retro 8-bit version of its mapping tool that is... totally awesome. In a characteristically whimsical video, availabl...
Post a Comment
Read more

Curious case of Cisco AnyConnect and WSL2

One thing Covid has taught me is the importance of VPN. Also one other thing COVID has taught me while I work from home  is that your Windows Machine can be brilliant  as long as you have WSL2 configured in it. So imagine my dismay when I realized I cannot access my University resources while being inside the University provided VPN client. Both of the institutions I have affiliation with, requires me to use VPN software which messes up WSL2 configuration (which of course I realized at 1:30 AM). Don't get me wrong, I have faced this multiple times last two years (when I was stuck in India), and mostly I have been lazy and bypassed the actual problem by side-stepping with my not-so-noble  alternatives, which mostly include one of the following: Connect to a physical machine exposed to the internet and do an ssh tunnel from there (not so reliable since this is my actual box sitting at lab desk, also not secure enough) Create a poor man's socks proxy in that same box to have...
Post a Comment
Read more