0

I need the directory /var/www/ (and everything inside it) to be modifiable by only authorized users.

The way I tried to do this was:

sudo groupadd webmasters sudo usermod -G webmasters pi # My user is pi sudo chown -R root:webmasters /var/www/ sudo chmod -R ug+rw /var/www/

...but I can't modify anything in /var/www/, nor can I create new files in it.

What am I doing wrong? How do I set this up the way it needs to be?

What I'm envisioning is:

  • Everyone in the group webmasters can create, delete, and edit files in /var/www/
  • All newly-created files/folders are owned by root:webmasters
  • All newly created files have permissions 775: -rwxrwxr-x
  • Is is vital that no one without authorization be able to have write permissions, OR any sort of Setuid/Setgid ability. (Authorization for write access can only be granted by Root.)

Am I taking the wrong approach to this? Do I have the right idea, but I'm just messing something up? What's going wrong?

Improve this question
2
  • Output of getent group webmasters is webmasters:x:1005:pi, so I know I'm in the group... Commented Jul 2, 2013 at 23:42
  • 1
    Have you logged in again after adding yourself to the group? The kernel's process management doesn't care about changes to /etc/groups after a process has been created and initialized. Commented Jul 3, 2013 at 0:26

1 Answer 1

Reset to default
0

It's not enough that a user's been added to a group in the /etc/group file through the usermod -G command. This updates the "database" but any shells/processes that have been already created prior to this update will not reflect that the user that owns them, pi, has been added to this new group.

Usually you don't want to use the getent commands when interrogating a shell, but rather the command id, or more specifically id -a.

example

Here I've just added my username saml to the group newgrp. The command getent confirms this:

$ getent group newgrp newgrp:x:10000:saml

But the command id -a tells a different story in one of the shells that I already had open:

$ id -a uid=500(saml) gid=501(saml) groups=501(saml),502(vboxusers),503(jupiter)

If I start up a new shell I'll see newgrp:

$ ssh localhost Last login: Fri Jun 28 00:17:13 2013 from localhost.localdomain $ id -a uid=500(saml) gid=501(saml) groups=501(saml),502(vboxusers),503(jupiter),10000(newgrp)
Improve this answer
2
  • Awesome! Logging out, then in, fixed the permissions! Now to set default ownership of newly-created files... Commented Jul 3, 2013 at 2:58
  • @JamesTheAwesomeDude - I believe your approach is fine, you just needed to logout/in to get the group to show up so you'd have permissions. Commented Jul 3, 2013 at 3:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.