Add webserver "apache" user to other groups

Support
#10

So… it is possible or not assign a secondary group to a user ?
I use the ssh to change the group of the apache user.

I’ve try but the apache user seems fixed to only apache group.

To summarize and for other if want test the situation:
Nethserver 6.5
I have a shared folder: /var/lib/nethserver/ibay/cartellaCondivisa
The owner is “admin”, group: “utentilocali” (default from creation for the we interface)
I have a second shared folder set to be the root of apache webserver: /var/lib/nethserver/ibay/cartellaApplicazione
The owner is “admin”, group: “utentilocali”

I’ve created a symbolic link in the root folder:
:# ln -s /var/lib/nethserver/ibay/cartellaCondivisa /var/lib/nethserver/ibay/cartellaApplicazione/condivisaLink

The webserver (php/apache) it is unable to read and write the symbolic link.

How to make the webserver be able to read and write the symbolic link ?

#11

Perhaps i’ve found why also in the nethserver 6.7 and .htwritable (invention of dev team of nethserver ?) file configured the symlinks are not signed to be writable:

.htwritable file are for using the automation from the nethserver panel.
But i don’t understand why configuring manually (via ssh) the group of a user doesn’t work… it should be the same thing… or no ?

#12

a dirty quick answer is to let apache as the owner of the shared folder, the scripts of NS just reset the group, never the owner

@davidep is concerned by the apache user restrictions, but in some case (for wedav by example) we cannot do it without this user.
Moreover the .htwritable is hard to use since you need to write it manually on the server and probably can be modified by a samba access…a gui will be welcome…but even with that you must know and understand which folders must have a write permission.

For what it concerns me (Mod Dav) I need a full write permission to the root folder of the Ibay, eventually I would love an option for that-> (*), else I need to set apache as the owner of the shared folder.

of course if an obvious other way exists, please shout

#13

if apache is the owner of the ibay shared folder you cannot use it by samba… or not?
To maximum comfort i use samba access (on the office lan) to update the application (update are very frequently, every two or three days).

Or another server i achieved this target by inserting the apache user in the group owner of the directory… a very simply thing.

@stephdl
So you are suggesting to set apache as the owner of the ibay shared folder… but to use it by samba access i have to insert a samba user in the apache user group…

#14

I’m working on a module or a core feature concerning webdad, that will be another way to update files.

yes that it is another way to do it, I will look on it to see if I can use it with an event, but not so evident to get it works.

I recall that it works, I try again to verify it.

#15

It is evident that you don’t need to do the same tests than me, specially on a production server, but when I change the owner to Apache, I still can write in the folder after with samba.

All files and folders keeps the same ownership (apache/Samba_Owner_Group)

# ll -R /var/lib/nethserver/ibay/
/var/lib/nethserver/ibay/:
drwxrwsr-x+ 8 apache yuyu 4096 Dec 27 08:42 tutu

/var/lib/nethserver/ibay/tutu:
drwxrwsr-x+ 2 apache yuyu 4096 Dec 27 08:42 sambacreation
/var/lib/nethserver/ibay/tutu/sambacreation:
total 4
-rw-rw-r--+ 1 apache yuyu 0 Jan 28  2015 Nouveau NewFile

I noticed something interesting, probably a bug, a user created before the installation of nethserver-samba cannot reach a samba share, even if you go to the panel for allowing this user to the samba shares after the samba installation…I needed to create a new user and set him a password.

Old user cannot access samba shares
Old user cannot access samba shares
#16

@Technet How did you achieve that ?

#17

To give read and write permission to the apache (in order to upload ad see file from the web application) user i’ve inserted the apache user in the group owner of the shared folder (not the root of apache webserver). I’ve tested this solution on a server powered by debian and another powered by centos 6. But with nethserver seems doesn’t work…

#18

Same here for me

#19

It’s a very big trouble for me :disappointed:
I will have to change the os of the server :disappointed_relieved:

#20

Are you kidding :smile:

the problem comes from the ACL…see :

# getfacl /var/lib/nethserver/ibay/tutu/

getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/tutu/
# owner: admin
# group: plume
# flags: -s-
user::rwx
user:apache:rwx
user:toto:rwx
group::r-x
group:yuyu:rwx
group:plume:rwx
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:user:toto:rwx
default:group::r-x
default:group:yuyu:rwx
default:group:plume:rwx
default:mask::rwx
default:other::---

apache cannot write following the ACL restrictions

try

setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /var/lib/nethserver/ibay/tutu/

and you will be able to write in the whole Ibay…but each time you will reset the permission in the Ibay Panel, or reconfigure the Ibay with the event ibay-modify, you will reset the acl

#21

No…i’m crying :sob:
We work on server that are located in some different factory. It aren’t connected to internet because are on secure isolated production lan. I have to travel to the factory to do the setting… and if the local “admin”, adding a user, can reset some “critical” (to made the php web application working) settings like this i have to travel and apply again the setting… it’s a very big trouble…

But… for now… i have to test your solution…
I’m creating a virtual machine… now i have to configure it like the server we have in production and test you solution…
I’m about to install phpmyadmin module for nethserver 6.5 from your repo :wink:

#22

The option -P is to preserve to set acl following the symlinks in the ibay folders…you can test without the -P if you cannot write in the symlinked folder

#23

quite sure that an action can be made to automatise the setfacl…

#24

a script to automatise acl for apache write permission :

vim /etc/e-smith/events/actions/nethserver-full-apache-write

#!/usr/bin/perl
use esmith::ConfigDB;
use strict;

eval { require esmith::AccountsDB };
if($@) {
    exit(0); # AccountsDB is not available, exit
}

use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb  = esmith::AccountsDB->open_ro();


my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;

my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');

my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';

if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}

then chmod the file

chmod 750 /etc/e-smith/events/actions/nethserver-full-apache-write

do symlinks to the action

ln -s ../actions/nethserver-full-apache-write /etc/e-smith/events/ibay-reset-permissions/S80nethserver-full-apache-write
ln -s ../actions/nethserver-full-apache-write /etc/e-smith/events/ibay-modify/S80nethserver-full-apache-write

now you must set as parameter for each Ibay HttpWritable to enabled (or disabled if you want to remove the full apache write permission in the Ibay)

db accounts setprop IBAYNAME HttpWritable enabled
signal-event ibay-modify IBAYNAME

you can see the acl on a folder or a file by doing

getfacl /path/2/your/folder/path
#25

2 posts were merged into an existing topic: Old user cannot access samba shares

#27

Setting the acl rule on both ibay folder the upload/download from the webserver/php works !
Thanks !

Now i have to test the script…

I would be never able to write a script to automatise that ! I don’t know perl language, i’m not so skilled.
Great works, thank you ! :wink:

#28

Seems there is an error… when i try to reset permission from panel, this message is displayed:

Task completato con errori
S80nethserver-full-apache-write #2 (code 65280)

There is any log that can be useful for debug ?

Shared folders name are: condivisa ; applicazione

Is the script compatible with nethserver 6.5 or contain any variable/function that are for 6.7 version only?

Edit:
From messages log i’ve found this:

Global symbol "$httpdstatus" requires explicit package name at /etc/e-smith/events/ibay-reset-permissions/S80nethserver-full-apache-write line 20.

Any idea for the script correction ?

OK, a small typing error in the $httpdstatus variable declaration.
Here the correct script:

vim /etc/e-smith/events/actions/nethserver-full-apache-write

#!/usr/bin/perl
use esmith::ConfigDB;
use strict;

eval { require esmith::AccountsDB };
if($@) {
    exit(0); # AccountsDB is not available, exit
}

use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb  = esmith::AccountsDB->open_ro();


my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;

my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');

my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';

if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}
#29

copy and paste the correction I did of my script, it should be good, sorry for my fat fingers

#30

I published the correction at the same time :wink:
But the script is not working as i expected… i have to set the apache to read and write on both shared folder, not only on the one that is the webroot…