timbroder timbroder - 1 month ago 11
Apache Configuration Question

Issue with www-data and group read for site folder

I'm locking down some permissions, and now nginx has trouble seeing my site

Background:


  • I deploy & run CLI using the mysite user.

  • I want both mysite and www-data to have access to the site's folder
    mysite and www-data users

  • both belong to the www-data groups:



root@dev:~# groups mysite
mysite : mysite www-data
root@dev:~#


root@dev:~# groups www-data
www-data : www-data


The folder (has group permissions)

drwxrwx--- 3 mysite www-data 4096 Jun 26 14:12 sites/


www-data trying to get to it:

root@dev:~# sudo -u www-data stat /home/mysite/sites/
stat: cannot stat ‘/home/mysite/sites/’: Permission denied


www-data can see the parent folders fine:

root@dev:~# sudo -u www-data stat /home/
File: ‘/home/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1179649 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-10-19 10:59:05.845267219 -0400
Modify: 2016-06-26 14:12:24.890310000 -0400
Change: 2016-06-26 14:12:24.890310000 -0400
Birth: -
root@dev:~# sudo -u www-data stat /home/mysite/
File: ‘/home/mysite/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1180062 Links: 10
Access: (0770/drwxrwx---) Uid: ( 1000/ mysite) Gid: ( 1000/ mysite)
Access: 2016-10-19 10:59:10.081267219 -0400
Modify: 2016-10-19 10:35:01.221267219 -0400
Change: 2016-10-19 10:35:01.221267219 -0400
Birth: -


I've also checked to see if SELinux was messing with it

root@dev:~# setenforce 0
setenforce: SELinux is disabled


I've also tried:

chown www-data:www-data /home/mysite/sites/


Update 10/19/2016:
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:

setfacl --modify=g:www-data:x /home/mysite

Answer

Any web server requires executable permissions (but not read) to all parent directories that contain the site. Setting an ACL on the home directory like that works.

You also could have changed the group of /home/mysite to www-data and locked down permissions of that directory to 710.

Another solution would have been to move the sites directory someplace less restricted than a home directory, like /var/www, but keep the existing locked down permissions on the sites directory.

I likely would have gone with your solution, or moving the site to /var/www

Comments