Tags:
access_control1Add my vote for this tag installation2Add my vote for this tag security3Add my vote for this tag create new tag
, view all tags
ALERT! NOTE: This is a SupplementalDocument topic which is not included with the official TWiki distribution. Please help maintain high quality documentation by fixing any errors or incomplete content. Put questions and suggestions concerning the documentation of this topic in the comments section below! Use the Support web for problems you are having using TWiki.

File Access Rights on Unix and Linux

One of the most common problems people ask about it how to set-up the file access rights in Linux/Unix.

This small topic answers this question by giving you the exact shell commands that sets the access rights correctly for your entire TWiki directory tree.

This topic covers TWiki 4.0, 4.1 and 4.2. The two scripts sets the same rights but 4.0 and 4.1 has some small differences in directory structure related to Wysiwyg.

The script below does 2 things

  • It changes the owner of the entire directory tree to the user that apache is run as. Apache is normally started as root and then forks out a number of child processes that do all the work. These child processes run as a user with very few priviledges on the system. The name of the user is given by the directives User and Group in httpd.conf. Each distribution has its own idea what this user should be. In Redhat/Fedora/Centos the user name is apache and the group is also apache. SuSE uses wwwrun as the user and www for the group. Other distributions uses nobody or www-data.
  • It changes the access rights to all the files in the twiki tree to the same as it is shipped in the tgz. When you upgrade using the TWiki-VERSION-changed.zip you run into the problem that zip files contain no user rights so the default right are used. The script below takes care of this.
In the script below I assume your TWiki tree is /var/www/twiki and the apache user/group is apache.

First we move to the right directory and change ownership

cd /var/www
chown -R apache:apache twiki
cd twiki

Make sure your current working directory is the bottom of the twiki tree (./core if svn co directory) The next step changes the access rights. You can copy one line at a time or copy the entire next block of text and paste it to a command line.

  • Pointing hand The script prints everything it does so expect to see a lot of output. If you do not want that, or if -v is not supported on your platform, simply remove all the -v.

For TWiki 5.1.X

Here's a faster (tcsh) script to fix the permissions and ownership.
#! /bin/tcsh -f
set VERBOSE=-v
# Uncomment the following line to silence the output.
# set VERBOSE=

# These are the settings for Ubuntu.
set APACHE_RUN_USER=www-data
set APACHE_RUN_GROUP=www-data

chown -R ${VERBOSE} ${APACHE_RUN_USER}.${APACHE_RUN_GROUP} .
find . -type d -print0 | xargs -0 chmod ${VERBOSE} 755
find data -name '*.txt' -type f -print0 | xargs -0 chmod ${VERBOSE} 644
find data pub -name '*,v' -type f -print0 | xargs -0 chmod ${VERBOSE} 444
find lib locale -type f -print0 | xargs -0 chmod ${VERBOSE} 444
find pub -type f -print0 | xargs -0 chmod ${VERBOSE} 644
find bin -type f -print0 | xargs -0 chmod ${VERBOSE} 555
find templates bin/logos -type f -print0 | xargs -0 chmod ${VERBOSE} 444
find tools -type f -print0 | xargs -0 chmod ${VERBOSE} 555
chmod ${VERBOSE} 644 lib/LocalSite.cfg
chmod ${VERBOSE} 644 data/.htpasswd
chmod ${VERBOSE} 644 data/mime.types
chmod ${VERBOSE} 644 bin/LocalLib.cfg.txt bin/.htaccess.txt
chmod ${VERBOSE} 444 bin/setlib.cfg
chmod ${VERBOSE} 444 tools/extender.pl
chmod ${VERBOSE} 444 working/tmp/README working/README working/registration_approvals/README working/work_areas/README
chmod ${VERBOSE} 660 working/.htaccess
foreach file (AUTHORS COPYING COPYRIGHT index.html INSTALL.html LICENSE pub-htaccess.txt readme.txt robots.txt root-htaccess.txt subdir-htaccess.txt twiki_httpd_conf.txt)
    if (-e $file) chmod ${VERBOSE} 444 $file
end

For TWiki 5.0.X

find . -type d -print -exec chmod -v 755 {} \;
find data -name '*.txt' -type f -exec chmod -v 644 {} \;
find data pub -name '*,v' -type f -exec chmod -v 444 {} \;
find lib -type f -exec chmod -v 444 {} \;
find locale -type f -exec chmod -v 444 {} \;
find pub -type f -exec chmod -v 644 {} \;
find bin -type f -exec chmod -v 555 {} \;
find bin/logos -type f -exec chmod -v 444 {} \;
find templates -type f -exec chmod -v 444 {} \;
find tools -type f -exec chmod -v 555 {} \;
chmod -v 644 lib/LocalSite.cfg
chmod -v 644 data/.htpasswd
chmod -v 644 data/mime.types
chmod -v 644 bin/LocalLib.cfg.txt bin/.htaccess.txt
chmod -v 444 bin/setlib.cfg
chmod -v 444 tools/extender.pl
chmod -v 444 working/tmp/README working/README working/registration_approvals/README working/work_areas/README
chmod -v 660 working/.htaccess
chmod -v 444 AUTHORS COPYING COPYRIGHT index.html INSTALL.html LICENSE pub-htaccess.txt readme.txt robots.txt root-htaccess.txt subdir-htaccess.txt twiki_httpd_conf.txt

For TWiki 4.2.X

find . -type d -print -exec chmod -v 755 {} \;
find data -name '*.txt' -type f -exec chmod -v 644 {} \;
find data pub -name '*,v' -type f -exec chmod -v 444 {} \;
find lib -type f -exec chmod -v 444 {} \;
find locale -type f -exec chmod -v 444 {} \;
find pub -type f -exec chmod -v 644 {} \;
find bin -type f -exec chmod -v 555 {} \;
find bin/logos -type f -exec chmod -v 444 {} \;
find templates -type f -exec chmod -v 444 {} \;
find tools -type f -exec chmod -v 555 {} \;
chmod -v 644 lib/LocalSite.cfg
chmod -v 644 data/.htpasswd
chmod -v 644 data/mime.types
chmod -v 644 bin/LocalLib.cfg.txt bin/.htaccess.txt
chmod -v 444 bin/setlib.cfg
chmod -v 444 tools/extender.pl
chmod -v 444 working/tmp/README working/README working/registration_approvals/README working/work_areas/README
chmod -v 660 working/.htaccess
chmod -v 444 AUTHORS COPYING COPYRIGHT index.html INSTALL.html LICENSE pub-htaccess.txt readme.txt robots.txt root-htaccess.txt subdir-htaccess.txt TWikiHistory.html twiki_httpd_conf.txt TWikiReleaseNotes04x02.html 

For TWiki 4.1.X

find . -type d -print -exec chmod -v 755 {} \;
find data -name '*.txt' -type f -exec chmod -v 644 {} \;
find data pub -name '*,v' -type f -exec chmod -v 444 {} \;
find lib -name '*.pm' -type f -exec chmod -v 444 {} \;
find locale -type f -exec chmod -v 444 {} \;
find pub -type f -exec chmod -v 644 {} \;
find pub/TWiki/KupuContrib -type f -exec chmod -v 444 {} \;
find bin -type f -exec chmod -v 555 {} \;
find bin/logos -type f -exec chmod -v 444 {} \;
find templates -type f -exec chmod -v 444 {} \;
find tools -type f -exec chmod -v 555 {} \;
chmod -v 644 lib/LocalSite.cfg
chmod -v 644 data/.htpasswd
chmod -v 644 data/mime.types
chmod -v 444 bin/LocalLib.cfg.txt
chmod -v 444 bin/.htaccess.txt
chmod -v 444 pub/_work_areas/.htaccess
chmod -v 444 pub/_work_areas/README
chmod -v 444 AUTHORS COPYING COPYRIGHT index.html INSTALL.html LICENSE pub-htaccess.txt readme.txt robots.txt root-htaccess.txt subdir-htaccess.txt TWikiHistory.html twiki_httpd_conf.txt TWikiReleaseNotes04x01.html 

For TWiki 4.0.X

find . -type d -print -exec chmod -v 755 {} \;
find data -name '*.txt' -type f -exec chmod -v 644 {} \;
find data pub -name '*,v' -type f -exec chmod -v 444 {} \;
find lib -name '*.pm' -type f -exec chmod -v 444 {} \;
find locale -type f -exec chmod -v 444 {} \;
find pub -type f -exec chmod -v 644 {} \;
find pub/TWiki/WysiwygPlugin/_kupu -type f -exec chmod -v 444 {} \;
find bin -type f -exec chmod -v 555 {} \;
find bin/logos -type f -exec chmod -v 444 {} \;
find templates -type f -exec chmod -v 444 {} \;
find tools -type f -exec chmod -v 555 {} \;
chmod -v 644 lib/LocalSite.cfg
chmod -v 644 data/.htpasswd
chmod -v 644 data/mime.types
chmod -v 444 bin/LocalLib.cfg.txt
chmod -v 444 bin/.htaccess.txt
chmod -v 444 pub/_work_areas/.htaccess
chmod -v 444 pub/_work_areas/README 
chmod -v 444 AUTHORS COPYING COPYRIGHT index.html INSTALL.html LICENSE pub-htaccess.txt readme.txt robots.txt root-htaccess.txt subdir-htaccess.txt TWikiHistory.html twiki_httpd_conf.txt TWikiReleaseNotes04x00.html 
chmod -v 555 UpgradeTwiki

SELinux Systems

SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain (or type).

Simply append this line to the end of whichever of the above scripts most suited your needs, or manually type it into the command line yourself:

chcon -Rt httpd_sys_content_t .

-- Contributors: KennethLavrsen, PeterThoeny



Comments & Questions about this Supplemental Document Topic

This is equally useful for MacOSX

-- SueBlake - 10 Sep 2006

I found that this method doesn't work on my Ubuntu system. I am using a debian package provided by SvenDowideit. Debian has very strict rules about file ownership and directory layout.

In my installation the perl files are owned by root, group root, so permissions need to be 444 so that user www-data can read them. Similar changes (permissions 755, 644, etc.) need to be made for the bin directory, logos, templates, etc.

-- JoeReinhardt - 25 Oct 2006

During installation I followed step by step all the instructions given under the TWikiOnRedHat. One of the steps there is to change the file users and perms by running the above list of commands. When I ran them the "chmod -v 660 lib/LocalSite.cfg" I got a file not found error as in the installation procedure you have not said when this file needs to be created. So I had not created the actual LocalSite.cfg and still had ONLY the LocalSite.cfg.txt file.

-- KaushalCavale - 21 Nov 2006

There is a lib/LocalSite.cfg.txt file in the distribution, it acts as a template file,and you do not really need it. The first time you run configure and save its settings, the lib/LocalSite.cfg is created for you.

-- PeterThoeny - 21 Nov 2006

The default file permissions are too strict and fail on all but shared hosted sites with suExec, which is not a typical server environment for the target users of TWiki. See suggested change in Bugs:Item3280.

-- PeterThoeny - 12 Dec 2006

We will extend this supplemental document with several examples of access rights for different Unix/Linux environments. From 4.1 INSTALL.html will point to this topic which will either be an index page or an advanced script like the ApacheConfigGenerator where you enter a set of requirements and get the right script.

-- KennethLavrsen - 18 Dec 2006

For the script, I would not distinguish between TWiki versions (the 440 is just of historical value). Better to distinguish standard Linux install on dedicated server, shared host install without suexec, shared host install with suexec, etc.

-- PeterThoeny - 30 Dec 2006

If you are running on an hosted machine using suExec like DreamHost you need to have access rights for other set to the same as user in that example. So typically replace the 0 with the user value.

So for instance you get:
find data -name '*.txt' -type f -exec chmod -v 666 {} \;
Instead of:
find data -name '*.txt' -type f -exec chmod -v 660 {} \;

-- StephaneLenclud - 11 Jan 2007

Shall we add that script to the root of the release distribution and call it something like fixaccessright.sh?

-- StephaneLenclud - 12 Jan 2007

The 4.1 settings seem to be working great. I have adjusted above 4.0 script to set same access rights as we decided for 4.1. The reason there is still a 4.0 script is that the directories and files have changed a little between 4.0 and 4.1 and it may be confusing to get file not found warnings.

The reason for not putting a script in the root are two. 1. The directory structure is not always exactly as distributed. 2. I know some put the entire twiki directory in a place where things are executable and I do not like to have a chmod script being executable from a browser even if it normally would be harmless.

-- KennethLavrsen - 15 Jan 2007

I am on a 1and1 shared host using Debian. It has a user of "www" and group of "www". I cannot chown (probably because I am not the superuser). I can chgrp, but only to a group I am a member of, and I don't seem to be in the same group as "www". So the end result is I can change permissions, but not ownership.

This has given me some problems. I have been able to fix them by granting read permissions to "others", but I am not sure if that is secure.

-- EricWoods - 07 Feb 2007

Also, I found your description of what is happening ("forks out a number of child processes" etc) very helpful. However, I have one question: .htpasswd only lets owner write to it, but for me, needs read access for owner, group and everyone. Therefore, these child processes don't seem to be classified as 'owners', yet somehow the file can have new TWiki users written to it. If it is not a child process writing to .htpasswd, what is?

-- EricWoods - 07 Feb 2007

On the TWikiVMDebianStable Linux / Twiki Image the command on the top of this page would be:

cd /home/httpd
chown -R www-data twiki
cd twiki

-- WilliamKahler - 22 Mar 2007

The following two commands didn't execute because the files were not present, but may be they will appear after I install. I am using Ver 4.1.2:

chmod -v 644 lib/LocalSite.cfg chmod -v 644 data/.htpasswd

-- VenkataGanti - 28 Jul 2007

the commands doesnt work on my Busybox.

chmod: invalid mode: -v

-- ThomasHesse - 01 Nov 2007

Sorry, i don't see: The script prints everything it does so expect to see a lot of output. If you do not want that remove all the -v.

-- ThomasHesse - 01 Nov 2007

I used -R on my BusyBox v1.1.0 instead of -v that seems to work. Guess I could have removed -v, hm maybe -v should be removed from the script in order to make it more compatible.

-- FranzJosefGigler - 01 Nov 2007

Isn't there a

 '*.pm' 

missing in 4.2.x

find lib -name -type f -exec chmod -v 444 {} \;

line?

-- MarcoPoli - 02 Nov 2007

Seems like. Since this is a wiki you can make the change! smile

-- PeterThoeny - 02 Nov 2007

No the 4.2 script is correct. There are now a couple of non .pm files that also need protection as 444. So first I set all to 444. And then I loosen up lib/LocalSite.cfg to 644

-- KennethLavrsen - 06 Nov 2007

Then use '*.*' as parameter as I had to do on my BusyBox to get it going. It seems that some chmod versions don't support the -v parameter, so why not drop it or use -R instead?

-- FranzJosefGigler - 06 Nov 2007

The use of chmod with -R is usually a bad idea since you need execute right for directories, but don't want it for files. Regarding . I'd think that the correct solution is to drop the -name parameter. It isn't needed, but if it is given, it requires a name expression. I'll fix that.

-- HaraldJoerg - 06 Nov 2007

Thanks for the explanation. Would it be bad to drop the -v parameter as well, it is not needed either, right?

-- FranzJosefGigler - 06 Nov 2007

Correct, -v is not needed for the commands to work. It is short for --verbose and prints what it is doing. According to http://www.busybox.net/downloads/BusyBox.html both its chmod and chown commands support -v. So, I'd prefer not to remove it, and rather add a comment about its purpose.

-- HaraldJoerg - 06 Nov 2007

There seems to be an error in these scripts, as otherwise I believe there is no point in having pub in the 3rd line since the 6th line changes permissions for all files in pub. Or should the order of these two lines be changed?

-- DanielBiren - 23 Feb 2008

Yes there is some errors. How about this then. First do the general, then the particular:

#!/bin/sh

TWIKI=/usr/local/mytwiki

find $TWIKI       -type d -exec chmod -v 755 '{}' ;
find $TWIKI       -type f -exec chmod -v 444 '{}' ;
find $TWIKI/data  -type f -exec chmod u+w '{}' ;
find $TWIKI/pub   -type f -exec chmod u+w '{}' ;
find $TWIKI/bin   -type f -exec chmod -v a+x {} \;
find $TWIKI/tools -type f -exec chmod -v a+x {} \;

chmod -v u+w $TWIKI/lib/LocalSite.cfg
chmod -v u+w $TWIKI/data/.htpasswd
chmod -v u+w $TWIKI/data/mime.types
chmod -v u+w $TWIKI/bin/LocalLib.cfg.txt bin/.htaccess.txt
chmod -v u=rw,g=rw,o= $TWIKI/working/.htaccess

-- DavidTonhofer - 2008-10-19

How do these settings change for Twiki 5.0?

-- JackVinson - 2010-11-04

I added a TWiki-5.0 section.

-- PeterThoeny - 2010-11-04

Changed reference to other (Apache) distributions (Ubuntu) from wwwdata to www-data

-- GeorgeTrubisky - 2010-12-17

As a suggestion, since I spent a good few hours screaming at error logs and ls -al -ing furiously and thought I'd save others the bother - on SELinux, even when all of the above permissions are correct, permission may still be denied. (For those that don't know, SELinux makes use of "security context". These special permissions can be viewed via ls -Z although man ls on any SELinux distro will tell you that smile

From the root directory, as well as with the already suggested set of commands: chcon -Rt httpd_sys_content_t .

However, be warned I'm still very new to the concepts of security context introduced by SELinux - if anybody more experienced than I can see a security issue with the above suggested command, please point it out smile

-- OwenDyckhoff - 2011-07-05

Thank you Owen for the feedback. Please feel free to update the article above.

-- PeterThoeny - 2011-07-06

SELinux section added

-- OwenDyckhoff - 2011-07-06

I added a tcsh version of the script that makes use of xargs so that the chmod program is not invoked for every file, but, instead, is passed a list of files. -- SteveKelem - 2012-04-12

Thanks Steve!

-- PeterThoeny - 2012-04-13

Please use the Support forum if you have questions about TWiki features. This comment section is about the documentation of this topic.
Edit | Attach | Watch | Print version | History: r45 < r44 < r43 < r42 < r41 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r45 - 2012-04-13 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.