Email This List Email This List Print This List Print This List

How to con­fig­ure User and Group per­mis­sions with Ubuntu

Basics

There are three sets of per­mis­sions to worry about with any directory/​file:

  • User — What the own­er of the file can do
  • Group — What users of the same group can do
  • Oth­er — What any­one else can do

Cor­res­pond­ingly, users have a user­name (unique to each user). Users can also be part of a group — In fact, mul­tiple users can be part of the same group.

Note: The chmod com­mand can accept numer­ic integers, such as 0664, which relate to user per­mis­sions. See this to help cre­ate these, if you wish

I will cov­er using chmod. Chmod is used to modi­fy the per­mis­sions of a dir­ect­ory or file.

Usage:

chmod -flags permissions /path/to/dir/or/file

Flags

-R

chmod -R … will recurs­ively go through the dir­ect­ory provided and change all file/​directory per­mis­sions as spe­cified.

Chan­ging Per­mis­sions

You can define for whom the per­mis­sions you are set­ting apply with these:

  • u = user
  • g = group
  • o = oth­er

You can add or remove per­mis­sions using these:

  • + will add per­mis­sions
  • - will remove per­mis­sions

You can set these per­mis­sions:

  • r = read
  • w = write
  • x = execute

Use this know­ledge to setup Apache

Assump­tions:

  • Apache is run as user www-data and group www-data.
  • Serv­er web root is /​var/​www

First

We need to set the owner/​group of the web root (and any directories/​files therein):

$ sudo chown -R www-data:www-data /var/www

Second

We need to setup the prop­er per­mis­sions for users and groups. We do some blanket com­mands restrict­ing access, and then open access up as much as we need to.

To start, make it so no-one but the cur­rent user (www-data) can access the web-root con­tent. We use ‘go’, mean­ing apply to ‘group’ and ‘oth­er’. We use ‘-’, which means remove per­mis­sions. We use ‘rwx’ to remove read, write and execute per­mis­sions.

$ chmod go-rwx /var/www

Next, allow users of the same group (and ‘oth­er’) to enter the /var/www dir­ect­ory. This is not done recurs­ively. Once again, we use ‘group’ and ‘oth­er’ but we use ‘+’ to allow the execute (‘x’) per­mis­sion.

$ chmod go+x /var/www

Next, change all dir­ect­or­ies and files in the web root to the same group (www-data) — just in case there are files in there cur­rently:

$ chgrp -R www-data /var/www

Next, let’s do anoth­er “reset” of sorts — Make it so only the user can access web con­tent:

$ chmod -R go-rwx /var/www

And finally, make it so any­one in the same group can ready/​write and execute directories/​files in the web root.

$ chmod -R g+rx /var/www

I actu­ally give group write per­mis­sions as well, for users which need to modi­fy con­tent, such as users used to deploy code. That looks like this:

$ chmod -R g+rwx /var/www

Often going through all of these steps isn’t neces­sary, but this is a use­ful exer­cise to see how these com­mands work!

Related Post

admin has written 133 articles