Apache, CMSms, Permissions.. a bit of everything.

[khyros]

Basically I've come upon the problem i've read several times around here.

In my research institution, we were given a unix username to FTP and put the www site. We were also given a database. We proceeded to install cms and so far so good.

But we found the problem: the Apache server runs as the user "web" and group "web", while I'm user "qob" group "users.

Whenever CMSms makes a new directory or file, it's created using web:web permissions, so I cannot touch those files at all; because my user "qob" has very linmited permissions.

I remember I read somehitng about configuring apache to run as the local user... which I think would avoid all these problems,, BUT i can't find the thread. Any hints? If I have a good point I might be able to convince the IT guys to allow me to run apache in such way.

Otherwise i'm not sure what to do. Now for example I cant use MysqlDump because "web:web" can't access the backups folder, which is owened by qob:users.

thanks.

[Pierre M.]

To run tour own Apache along with the IT guys' one, it needs to listen on another TCP port, say 8080 instead of the standard 80. The URLS would be http://abc.theserver.net:8080/hierarchy ... /page.html. You may not like this 8080 and the firewall neither. And it will be pain for you to administer your always hacked 8080 server to protect your own user's files.
You sure can ask the IT guys about a 8080 server, but you can buy professionnal domain+hosting for 20¤ a year too. Your choice. (I know, students are poor people, but it is 3 movie outings).
Pierre M.

[khyros]

It's not about hte money really...
you see, it's a public research institution so we want to have their url (it's csic.es). I didn't know the solution involved using different ports i guess i'm out of luck...

[Pierre M.]

If you have only one port, then server.es:80 can be a reverse http proxy forking to 2 separate httpd transparently.
server.es:80/abc/foo.php -> inside1.server.es:xyz/some/path/foo.php
server.es:80/def/bar.php -> inside2.server.es:uvw/where/is/foo.php
inside1 and inside2 can be the same host or two separate computers.
With such a reverse proxy :
-the IT guys operate inside1 and therefore server.es/abc/
-you operate inside2 (even port uvw=8080) and therefore server.es/def/
-the world only sees server.es/abc and server.es/def/ on a single standard 80 TCP port.
-you can crash inside2 without hurting the IT guys on server.es or inside1.

Another solution is to administrate the DNS to make every department have its own subdomain like khyros.satellite.csic.es.

Pierre M.

[calguy1000]

You need to play with the umask (in Site Admin >> Global Settings).  The umask determines the default permissions on new files

Here's a quick and dirty example of how they're used in unix systems.  I hope you man make sense out of it.

Code: Select all

robl@ws:/tmp$ umask 0022
robl@ws:/tmp$ mkdir dir1
robl@ws:/tmp$ touch dir1/file1
robl@ws:/tmp$ ls -alR dir1
dir1:
total 8
drwxr-xr-x  2 robl robl 4096 2007-04-23 21:00 .
drwxrwxrwt 39 root root 4096 2007-04-23 21:00 ..
-rw-r--r--  1 robl robl    0 2007-04-23 21:00 file1
robl@ws:/tmp$ umask 0000
robl@ws:/tmp$ mkdir dir2
robl@ws:/tmp$ touch dir2/file2
robl@ws:/tmp$ ls -alR dir2
dir2:
total 8
drwxrwxrwx  2 robl robl 4096 2007-04-23 21:00 .
drwxrwxrwt 40 root root 4096 2007-04-23 21:00 ..
-rw-rw-rw-  1 robl robl    0 2007-04-23 21:00 file2

[kermit]

Otherwise i'm not sure what to do. Now for example I cant use MysqlDump because "web:web" can't access the backups folder, which is owened by qob:users.

chmod the backups folder to 777 just like you did with the cmsms folders (tmp/cache, uploads, etc).

I remember I read somehitng about configuring apache to run as the local user... which I think would avoid all these problems,, BUT i can't find the thread. Any hints? If I have a good point I might be able to convince the IT guys to allow me to run apache in such way.

if your (web) server is shared among many users, the it guys will likely be hesitant to make wholesale changes to it..  but they should be willing to make modifications to permissions that you cannot (chown directories/files from web server to your user account)... you might also ask them if configuring php to run scripts as users (suexec) is an option.

[cnymike]

php-cgiwrap or suexec should do the trick I believe.