So… it is possible or not assign a secondary group to a user ?
I use the ssh to change the group of the apache user.
I’ve try but the apache user seems fixed to only apache group.
To summarize and for other if want test the situation:
Nethserver 6.5
I have a shared folder: /var/lib/nethserver/ibay/cartellaCondivisa
The owner is “admin”, group: “utentilocali” (default from creation for the we interface)
I have a second shared folder set to be the root of apache webserver: /var/lib/nethserver/ibay/cartellaApplicazione
The owner is “admin”, group: “utentilocali”
I’ve created a symbolic link in the root folder:
:# ln -s /var/lib/nethserver/ibay/cartellaCondivisa /var/lib/nethserver/ibay/cartellaApplicazione/condivisaLink
The webserver (php/apache) it is unable to read and write the symbolic link.
How to make the webserver be able to read and write the symbolic link ?
Perhaps i’ve found why also in the nethserver 6.7 and .htwritable (invention of dev team of nethserver ?) file configured the symlinks are not signed to be writable:
.htwritable file are for using the automation from the nethserver panel.
But i don’t understand why configuring manually (via ssh) the group of a user doesn’t work… it should be the same thing… or no ?
a dirty quick answer is to let apache as the owner of the shared folder, the scripts of NS just reset the group, never the owner
@davidep is concerned by the apache user restrictions, but in some case (for wedav by example) we cannot do it without this user.
Moreover the .htwritable is hard to use since you need to write it manually on the server and probably can be modified by a samba access…a gui will be welcome…but even with that you must know and understand which folders must have a write permission.
For what it concerns me (Mod Dav) I need a full write permission to the root folder of the Ibay, eventually I would love an option for that-> (*), else I need to set apache as the owner of the shared folder.
of course if an obvious other way exists, please shout
if apache is the owner of the ibay shared folder you cannot use it by samba… or not?
To maximum comfort i use samba access (on the office lan) to update the application (update are very frequently, every two or three days).
Or another server i achieved this target by inserting the apache user in the group owner of the directory… a very simply thing.
@stephdl
So you are suggesting to set apache as the owner of the ibay shared folder… but to use it by samba access i have to insert a samba user in the apache user group…
It is evident that you don’t need to do the same tests than me, specially on a production server, but when I change the owner to Apache, I still can write in the folder after with samba.
All files and folders keeps the same ownership (apache/Samba_Owner_Group)
# ll -R /var/lib/nethserver/ibay/
/var/lib/nethserver/ibay/:
drwxrwsr-x+ 8 apache yuyu 4096 Dec 27 08:42 tutu
/var/lib/nethserver/ibay/tutu:
drwxrwsr-x+ 2 apache yuyu 4096 Dec 27 08:42 sambacreation
/var/lib/nethserver/ibay/tutu/sambacreation:
total 4
-rw-rw-r--+ 1 apache yuyu 0 Jan 28 2015 Nouveau NewFile
I noticed something interesting, probably a bug, a user created before the installation of nethserver-samba cannot reach a samba share, even if you go to the panel for allowing this user to the samba shares after the samba installation…I needed to create a new user and set him a password.
To give read and write permission to the apache (in order to upload ad see file from the web application) user i’ve inserted the apache user in the group owner of the shared folder (not the root of apache webserver). I’ve tested this solution on a server powered by debian and another powered by centos 6. But with nethserver seems doesn’t work…
and you will be able to write in the whole Ibay…but each time you will reset the permission in the Ibay Panel, or reconfigure the Ibay with the event ibay-modify, you will reset the acl
No…i’m crying
We work on server that are located in some different factory. It aren’t connected to internet because are on secure isolated production lan. I have to travel to the factory to do the setting… and if the local “admin”, adding a user, can reset some “critical” (to made the php web application working) settings like this i have to travel and apply again the setting… it’s a very big trouble…
But… for now… i have to test your solution…
I’m creating a virtual machine… now i have to configure it like the server we have in production and test you solution…
I’m about to install phpmyadmin module for nethserver 6.5 from your repo
The option -P is to preserve to set acl following the symlinks in the ibay folders…you can test without the -P if you cannot write in the symlinked folder
a script to automatise acl for apache write permission :
vim /etc/e-smith/events/actions/nethserver-full-apache-write
#!/usr/bin/perl
use esmith::ConfigDB;
use strict;
eval { require esmith::AccountsDB };
if($@) {
exit(0); # AccountsDB is not available, exit
}
use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb = esmith::AccountsDB->open_ro();
my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;
my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');
my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';
if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}
Seems there is an error… when i try to reset permission from panel, this message is displayed:
Task completato con errori
S80nethserver-full-apache-write #2 (code 65280)
There is any log that can be useful for debug ?
Shared folders name are: condivisa ; applicazione
Is the script compatible with nethserver 6.5 or contain any variable/function that are for 6.7 version only?
Edit:
From messages log i’ve found this:
Global symbol "$httpdstatus" requires explicit package name at /etc/e-smith/events/ibay-reset-permissions/S80nethserver-full-apache-write line 20.
Any idea for the script correction ?
OK, a small typing error in the $httpdstatus variable declaration.
Here the correct script:
vim /etc/e-smith/events/actions/nethserver-full-apache-write
#!/usr/bin/perl
use esmith::ConfigDB;
use strict;
eval { require esmith::AccountsDB };
if($@) {
exit(0); # AccountsDB is not available, exit
}
use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb = esmith::AccountsDB->open_ro();
my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;
my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');
my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';
if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}
I published the correction at the same time
But the script is not working as i expected… i have to set the apache to read and write on both shared folder, not only on the one that is the webroot…
