1

I have a quick question. I have a sFTP user who needs to edit/create files within a web directory on my CentOS box. The entire directory is owned by nginx:nginx due to housing multiple websites.

I added this user to the group that owned the folder and was still unable to own it but when I added the user with the nginx group it worked properly… am I doing something wrong here?

Current perm for their web directory user:nginx. Is this being done correctly?

Also - Server does not run an FTP server, all SSH.

4 Spice ups
2

So you’ve got a user that has SSH access (not sftp) to your web server in order to update files that exist in a directory owned by the nginx user and group. In order to allow the user read/write access to this directory you’ve added said user to the nginx group.

Unless a more seasoned admin has a reason for doing this another way, I think that should work just fine. Just make sure that user does not have root access and your SSH server is properly secured(sshd config, Fail2ban, etc…).

1 Spice up
(Rambling Biped) 3

You might also review Unix/Linux permissions if you are a little confused on how things work.

If you need to isolate the subdirectory of the root website folder, you might create an additional group and add the nginx user and your user with SSH access to that group, and chown the subdirectory and all contents to the new group in order to restrict access further.

root@locahost:# chown -R nginx:newgroup /webroot/subdirectory
1 Spice up
4

I have added the user to the group nginx and doesn’t allow them to modify, I had to chown -R the users web folder to user:nginx.

5

Ah, that means your group permissions probably do not have write access. Do an “ls -l” command and look at the permissions.

Reference the link I posted above to get an understanding of what you see versus what they need to be.

2 Spice ups
6

To create, remove, or symlink a file in a directory, a user needs write and execute permission on the directory.

To edit an existing file, a user needs write permission on the file, and execute permission on the directory in which the file’s name resides. Read permission on the directory will help (the user can then read the directory to discover the file name), but read permission is not required if the user already knows the file name.

I added this user to the group that owned the folder and was still unable to own it but when I added the user with the nginx group it worked properly… am I doing something wrong here?

Current perm for their web directory user:nginx. Is this being done correctly?

Did you do something like:
chmod user:nginx directory

If so, user:nginx doesn’t tell us anything about permissions, it tells us the owner and group. What are the permission settings on directory? And if “user” is the new owner of “directory”, “user” is not governed by the permission setting of the group, “nginx”.

Post the result of this:
ls -ld /path/to/directory/in/question

If the permission bits governing this user do not allow both write and execute on the directory in question, that user won’t be able to create a file.

If the user belongs to group nginx, and that membership allows write and execute on the directory, have him execute:
newgrp nginx

1 Spice up
7 
[me@webny1 /]$ ls -ld /var/www/user/
drwxr-xr-x 3 user nginx 4096 Aug 31 13:39 /var/www/user/

“user” being the User’s account in question and /var/www/user being their directory

8

So, you can see your user permissions are set to “rwx” (read, write, execute), and that is why the “user” can properly make changes. However, the next three bits that define group permissions are set to “r-x” (read, —, execute). This means all members of the group “nginx” only have read and execute permissions, the same as all other users that might access the directory (as displayed by the last three bits in the permissions string).

To allow for group write access you would need to use the chmod command to change the group permissions to read, write, execute.

9

Should I be allowing nginx to do such or should I keep doing it the way I have been?

10

If you’ve changed ownership of the subdirectory to the new user, that may cause some issues if the nginx user/service needs to have write permissions to that directory as well. So yes, you might have mucked some things up by changing the ownership to the new user. I would look at using chown to put the user ownership back to nginx, and then add write permissions for the nginx group. Or, create a new group, chown the subdirectory’s group ownership to that new group, and use chmod to give the group read, write, and execute permissions on the subdirectory and all of it’s contents.

Confusing enough?

2 Spice ups
11

This is one great happy fun trip. I just didn’t know if giving nginx write ownership would be a security issue. I’d rather have the entire web directory owned by nginx:nginx and just add the users to the group.

12

I don’t think it will be a security issue, but I would only give the group write access where you absolutely need it; aka that single subdirectory(and it’s contents) of the root web-directory that nginx has ownership of. That way your user account is still restricted to write access on that subdirectory alone and not the entirety of the website root directory. If that makes sense.

13

Again, if there is a better/more appropriate way to implement permission in this situation I’m all ears for being taught a thing or two. :slight_smile:

@scottalanmiller @ealy @dcmartin @garydwilliams

2 Spice ups
14

Do you mean “nginx” as owner? Or “nginx” as group?

If user “user” is the proper owner of /var/www/user/ then the permissions are probably correct. Only “user” can delete or remove files from /var/www/user/, but members of group “nginx” could edit existing files (subject to file perms), in
/var/www/user/

15

So it started out as nginx:nginx over the whole /var/www/ and all worked fine. A user needed to edit/add to their website files and said user was part of the nignx group but had access denied when trying to make changes. I added the user as owner of their web directory with the group of nginx and all worked fine. I just want to ensure I am doing this correctly.

As it seems I may just change back to nginx:nginx and allow the group to write to the folder with the files needing to be changed.

1 Spice up
16

Lets see if I can add anything but I think @will224 covered it.

I would try something like 775 as a permission level,

So if the user is a member of the nginx group you just do a

chmod 775 -R ./Folder

Double check your group memberships

grep nginx /etc/group

Make sure if you’re going to give them full accesses to the folder that someone else isn’t a member of the group.

1 Spice up
17

From my understanding I think this would be the best way to go about it.

18

Is this a It staff or marketing department or worse a WP admin? Why not give them sFTP and limit their home directory to the folder your talking about? You don’t want marketing or $diety forbid a WP admin messing about a linux box.

19

They are another admin/co-worker I can trust wont go digging to cause problems. Right now their home directory for their user is set to this web folder. They just can’t edit files unless they are owner.

20

Okay then like I said make him a member of ngnix and then make your permissions 775. that should get you want you want.

Like I said earlier though make sure there isn’t anything else in that group before you go opening it up like that.

1 Spice up