group access: chown root.ftsdev and chmod 2775
Logical EXPLATION:
at superuser.com
Always REFER to https://www.tecmint.com/manage-users-and-groups-in-linux/
* Made cgi-bin belonging to group ftsdev (at present all developers belong here).
at superuser.com
Always REFER to https://www.tecmint.com/manage-users-and-groups-in-linux/
* Made cgi-bin belonging to group ftsdev (at present all developers belong here).
* Change ownership of cgi-bin to ftsdev as: 775 permission to cgi-bin
- Made cgi-bin belonging to group ftsdev (at present all developers belong here).
- chown -R root.ftsdev cgi-bin
- Change permissions to 2775 as:
- chmod 2775 -R cgi-bin
- The above steps makes sure ftsdev group has complete access to cgi-bin folder. They can create /modify files as group ftsdev. Others in the group can modify it too.
- created group “redgroup” (example for contractors).
Added user “jdoe” (john doe) into the group. - groupadd redgroup
useradd -c "John Doe" -m jdoe
usermod -aG redgroup jdoe
Create a folder cgi-bin/newdevelopment (WORKS fine)
Attach group “redgroup” to it
mkdir cgi-bin/newdevelopment setfacl -m group:redgroup:rwx newdevelopment OR
setfacl -m g:redgroup:rwx newdevelopment <== 'g' and 'group' same? getfacl newdevelopment/# file: newdevelopment/
# owner: root
# group: ftsdev
# flags: -s-
user::rwx
group::r-x
group:redgroup:rwx
mask::rwx
other::r-x
"setfacl --remove-all newdevelopment" will reset all acl.
though the directory is OWNED by ftsdev, we can add MULTIPLE groups to write into a folder.
# ls -ld my_test/
drwxrwsr-x+ 2 root ftsdev 4096 Nov 3 16:30 my_test/
You have new mail in /var/spool/mail/root
[root@fts-vm-dev html]# getfacl my_test/
# file: my_test/
# owner: root
# group: ftsdev
# flags: -s-
user::rwx
group::rwx
group:ftstest:rwx
mask::rwx
other::r-x
Now “jdoe” can read and write into cgi-bin/newdevelopment ONLY.
However he can see cgi-bin/timestamp etc.
HARD TO HIDE IT, as perl cgi execution has to READ it to run inside apache. Only the root httpd apache runs as root (not true, it runs as user set in http.conf file 'apache' !! IF not it MAY run it as root ! check this and correct it).
The worker threads are low privilege threads/proecesses. Hence we run into execution of CGI (“permission denied”).
Jdoe can not create or touch files in other areas of cgi-bin folder, but ONLy in “newdevelopment” folder.
"set-GID" bit on your folder ("sudo chmod g+s Folder"). ( http://ubuntuforums.org/showthread.php?t=840006 ) OR chmod 2775 <file|folder>. The 2 in 2xxx stands for file execution as super user.
Possible example:
999 chown -R root.ftsdev cgi-bin/
1000 chmod -R 2775 cgi-bin/
1002 setfacl -m group:ftsdev:rwx cgi-bin/
1003 chmod g+s cgi-bin/
NOTE:
These following two commands are sufficient to set 's' flag or group flag up.
"set-GID" bit on your folder ("sudo chmod g+s Folder"). ( http://ubuntuforums.org/showthread.php?t=840006 ) OR chmod 2775 <file|folder>. The 2 in 2xxx stands for file execution as super user.
Possible example:
999 chown -R root.ftsdev cgi-bin/
1000 chmod -R 2775 cgi-bin/
1002 setfacl -m group:ftsdev:rwx cgi-bin/
1003 chmod g+s cgi-bin/
NOTE:
These following two commands are sufficient to set 's' flag or group flag up.
1042 chown -R <owner>.ftsdev art.git/
1045 setfacl -m g:ftsdev:rwx art.git/; ls -l art.git <== no need? just adds selinux ACL
1046 chmod -R g+s art.git/; ls -l art.git
https://www.tecmint.com/manage-users-and-groups-in-linux/