Add webserver "apache" user to other groups

v6

#1

Hi,
To write in a folder to made possible upload file i have to add the “apache” user to a groups owner of another shared folder admin:utentilocali.
I tried to execute the command: # usermod -a -G utentilocali apache
but did’t have effect…
groups apache still apache:apache…

What i have to do to make the webserver uploading in a shared folder (…/ibay/sharedfolder…/ ) ?


(Davide Principi) #2

Hi @technet, you can manage write permissions as explained here:

http://docs.nethserver.org/en/latest/shared_folder.html#configuring-a-web-application


#3

it is a symlink to follow and write in it…
in the .htwritable i have to insert the full path of the subdirectory or the relative one ?
can apache user write on another shared folder ?

I have to write (upload file) in a shared folder that is shared by samba


(Davide Principi) #4

relative

I don’t know. Try to configure both shared folders with .htwritable and let us know how it goes :wink:


#5

No, .htwritable in both directory doesn’t work…

It was so simply on debian server !.. I added the user www-data (apache webserver owner) to the group owner of the shared directory and all worked…
why on nethserver / centos i can’t add the apache user in another (secondary) group ? damn :frowning:


(Davide Principi) #6

what happens?

We can’t assume this correct on any situation, but I’ll keep in mind…


#7

apache user is unable to follow the symlink and write on it
the symlink (inserted in the application directory) leads to …/ibay/another shared folder/


#8

So… i can’t add a secondary group to the apache user ?


(Davide Principi) #9

If the secondary group is in LDAP, you should use libuser utilities.

usermod -a -G utentilocali apache

usermod changes /etc/groups, which is not LDAP. Please, try with lgroupmod.

Edit: the group member list is overwritten by server manager, during group-modify event


#10

So… it is possible or not assign a secondary group to a user ?
I use the ssh to change the group of the apache user.

I’ve try but the apache user seems fixed to only apache group.

To summarize and for other if want test the situation:
Nethserver 6.5
I have a shared folder: /var/lib/nethserver/ibay/cartellaCondivisa
The owner is “admin”, group: “utentilocali” (default from creation for the we interface)
I have a second shared folder set to be the root of apache webserver: /var/lib/nethserver/ibay/cartellaApplicazione
The owner is “admin”, group: “utentilocali”

I’ve created a symbolic link in the root folder:
:# ln -s /var/lib/nethserver/ibay/cartellaCondivisa /var/lib/nethserver/ibay/cartellaApplicazione/condivisaLink

The webserver (php/apache) it is unable to read and write the symbolic link.

How to make the webserver be able to read and write the symbolic link ?


#11

Perhaps i’ve found why also in the nethserver 6.7 and .htwritable (invention of dev team of nethserver ?) file configured the symlinks are not signed to be writable:

.htwritable file are for using the automation from the nethserver panel.
But i don’t understand why configuring manually (via ssh) the group of a user doesn’t work… it should be the same thing… or no ?


(Stéphane de Labrusse) #12

a dirty quick answer is to let apache as the owner of the shared folder, the scripts of NS just reset the group, never the owner

@davidep is concerned by the apache user restrictions, but in some case (for wedav by example) we cannot do it without this user.
Moreover the .htwritable is hard to use since you need to write it manually on the server and probably can be modified by a samba access…a gui will be welcome…but even with that you must know and understand which folders must have a write permission.

For what it concerns me (Mod Dav) I need a full write permission to the root folder of the Ibay, eventually I would love an option for that-> (*), else I need to set apache as the owner of the shared folder.

of course if an obvious other way exists, please shout


#13

if apache is the owner of the ibay shared folder you cannot use it by samba… or not?
To maximum comfort i use samba access (on the office lan) to update the application (update are very frequently, every two or three days).

Or another server i achieved this target by inserting the apache user in the group owner of the directory… a very simply thing.

@stephdl
So you are suggesting to set apache as the owner of the ibay shared folder… but to use it by samba access i have to insert a samba user in the apache user group…


(Stéphane de Labrusse) #14

I’m working on a module or a core feature concerning webdad, that will be another way to update files.

yes that it is another way to do it, I will look on it to see if I can use it with an event, but not so evident to get it works.

I recall that it works, I try again to verify it.


(Stéphane de Labrusse) #15

It is evident that you don’t need to do the same tests than me, specially on a production server, but when I change the owner to Apache, I still can write in the folder after with samba.

All files and folders keeps the same ownership (apache/Samba_Owner_Group)

# ll -R /var/lib/nethserver/ibay/
/var/lib/nethserver/ibay/:
drwxrwsr-x+ 8 apache yuyu 4096 Dec 27 08:42 tutu

/var/lib/nethserver/ibay/tutu:
drwxrwsr-x+ 2 apache yuyu 4096 Dec 27 08:42 sambacreation
/var/lib/nethserver/ibay/tutu/sambacreation:
total 4
-rw-rw-r--+ 1 apache yuyu 0 Jan 28  2015 Nouveau NewFile

I noticed something interesting, probably a bug, a user created before the installation of nethserver-samba cannot reach a samba share, even if you go to the panel for allowing this user to the samba shares after the samba installation…I needed to create a new user and set him a password.


Old user cannot access samba shares
Old user cannot access samba shares
(Stéphane de Labrusse) #16

@Technet How did you achieve that ?


#17

To give read and write permission to the apache (in order to upload ad see file from the web application) user i’ve inserted the apache user in the group owner of the shared folder (not the root of apache webserver). I’ve tested this solution on a server powered by debian and another powered by centos 6. But with nethserver seems doesn’t work…


(Stéphane de Labrusse) #18

Same here for me


#19

It’s a very big trouble for me :disappointed:
I will have to change the os of the server :disappointed_relieved:


(Stéphane de Labrusse) #20

Are you kidding :smile:

the problem comes from the ACL…see :

# getfacl /var/lib/nethserver/ibay/tutu/

getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/tutu/
# owner: admin
# group: plume
# flags: -s-
user::rwx
user:apache:rwx
user:toto:rwx
group::r-x
group:yuyu:rwx
group:plume:rwx
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:user:toto:rwx
default:group::r-x
default:group:yuyu:rwx
default:group:plume:rwx
default:mask::rwx
default:other::---

apache cannot write following the ACL restrictions

try

setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /var/lib/nethserver/ibay/tutu/

and you will be able to write in the whole Ibay…but each time you will reset the permission in the Ibay Panel, or reconfigure the Ibay with the event ibay-modify, you will reset the acl