User has no permission to do "chgrp nobody /home/user/public_html"
Hi,
I have users that have a CMS installed in their public_html directory. Each user has a cron job that tells to execute a specific bash script that installs updates to the CMS using Composer. After the updating process has finished, file permissions, groups and ownerships are changed so that suPHP denies serving the site at all. To solve this, I have made the script to change the permissions, ownerships and groups back to how they should be: owner&group of every file/folder in public_html set to username:username, except for the public_html directory itself, whose group should be nobody instead of username, and no writing permission for the group.
The only problem is that an account user does not have permission to do the chgrp nobody /home/username/public_html part. If I run the same script as root, it works just the way it should. So, how to make it work when executed by less privileged users?
Thank you for your support!
Here's the part of my script that handles file permissions: (current working directory at this point is /home/username/public_html)
(I guess I should change "chmod g-w . -R" at some point to something like "chmod 755 . -R" or 750 to ensure others have no write access, but that's another topic. :) )
chown $customer:$customer . -R
chgrp nobody .
chmod g-w . -R
(I guess I should change "chmod g-w . -R" at some point to something like "chmod 755 . -R" or 750 to ensure others have no write access, but that's another topic. :) )
-
Hello :) Individual users will not have the privileges to change the ownership of a file or directory to "nobody". Are you able to modify the initial cron job so that it does not utilize invalid ownership and permission values? Thank you. 0 -
Hi, I don't think there is a way to make Composer not to change the ownership of public_html, although I have no clue why it does so in the first place. Can you advice me, why is it possible for a user to change the ownership of public_html at all? Can I deny that somewhere? It would make sense if the system protected this directory from being made unavailable for apache by mistake. :) 0 -
It might be an issue that the developers for that application will need to address. It likely happens if the application is installed as "root" and thus has access to change the ownership and permission values. Which PHP handler is in-use on this system? Thank you. 0
Please sign in to leave a comment.
Comments
3 comments