我试图弄清楚在创建新文件或文件夹时,我将如何设置权限(和所有权),这些权限将仅限于目录及其递归内容。
我在Ubuntu下使用XAMPP捆绑包,它为我提供了Apache(以及其他服务)。
默认情况下,使用XAMPP的Apache配置为在用户daemon和组daemon下运行。
我使用setgid位将daemon组传播到新创建的文件和目录。
我也使用ACL,因为安装组件后,所有者为daemon,组为daemon。所以我也通过$THEUSER给自己(setfacl)许可(因为我希望能够编辑文件并创建新文件和目录)。
但是当通过上传ZIP文件安装Joomla组件时,用户$THEUSER仅获得读取和执行权限。
当我执行getfacl /opt/lampp/htdocs/joomla/administrator/components/com_mycomp时,我在安装com_mycomp组件之后 运行脚本之后
# file: opt/lampp/htdocs/joomla/components/com_mycomp/
# owner: theuser
# group: daemon
# flags: -s-
user::rwx
user:theuser:rwx
group::r-x
group:daemon:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:theuser:rwx
default:group::r-x
default:group:daemon:r-x
default:mask::rwx
default:other::r-x
此外,该目录的ls -ld会给出:
drwxrwsr-x+ 8 theuser daemon 4096 okt 19 10:02 /opt/lampp/htdocs/joomla/administrator/components/com_mycomp/
然后安装后(如果已安装然后先卸载)我getfacl给出的组件:
# file: opt/lampp/htdocs/joomla/components/com_mycomp/
# owner: daemon
# group: daemon
# flags: -s-
user::rwx
user:theuser:rwx #effective:r-x
group::r-x
group:daemon:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:theuser:rwx
default:group::r-x
default:group:daemon:r-x
default:mask::rwx
default:other::r-x
ls -ld显示的权限保持不变(可以)。
如果有人想知道ls错误地显示了群组权限:这是因为rw部分的rws部分引用getfacl显示的掩码真正的权限(另一个问题回答)。
请注意,用户theuser的有效权限为:r-x并且写入已被删除。我该如何解决这个问题?我是否需要更改Joomla内部的一些设置?或者可以使用Joomla本身以外的东西来解决它?
我使用下面的脚本设置初始权限。以用户theuser执行如下:
sudo securepermissions.sh /opt/lampp/htdocs/joomla
这是剧本:
#!/bin/bash
if [ ! -d "$1" ]; then
echo -e "Error: folder doesn't exist or no folder given.\n"
exit 1
fi
# XAMPP uses the 'daemon' group for Apache.
WWWGROUP="daemon"
# Script should be executed using 'sudo'.
THEUSER="$SUDO_USER"
# The Joomla-directory to set permissions for.
JOOMLADIR="$1"
# NON-ACL steps first.
# User needs to be able to read/write everything.
chown -R $THEUSER:$WWWGROUP "$JOOMLADIR"
# 2755 for directories; 0644 for files.
find "$JOOMLADIR" \( -type d -exec chmod 2755 {} + \) -o \( -type f -exec chmod 0644 {} + \)
# ACL-steps second.
# First remove existing ACL entries.
# And set ACL-permissions recursively for directories who should not be writable by web-server.
setfacl -bk "$JOOMLADIR" \
-Rm m::rwx,d:m::rwx,u:$THEUSER:rwX,g:$WWWGROUP:rX,d:u:$THEUSER:rwX,d:g:$WWWGROUP:rX "$JOOMLADIR"
# Set ACL-permissions recursively for folders which should be writable by web-server:
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/components"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/language"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/manifests"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/modules"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/templates"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/components"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/images"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/language"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/libraries"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/media"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/modules"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/plugins"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/templates"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/cache"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/cache"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/logs"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/tmp"
# Extra restrictive permissions for configuration.php:
setfacl -m g:$WWWGROUP:r,o:0000 "$JOOMLADIR/configuration.php"