skip to primary navigationskip to content
 

File system permissions and Unix groups

Access to your server's file system is controlled by normal Unix permissions. The defaults are suitable for many straight-forward sites but you can alter them if necessary.

Administrators and SSH-only users each have a home directory that they can write to and that all other users can read.  Administrators and SSH-only users also have write access to the docroot, cgi-bin, and admindir directories of each website on the server.

The permissions and ownership of the the docroot, cgi-bin, and admindir directories for each web site can't be changed. Administrators and SSH-only users can modify the permissions and ownership of the files and directories within them according to normal Unix rules. 

On a newly built server, the Apache webserver user (www-data) does not have write access to docroot, cgi-bin, or admindir. You can grant it write access to particular files or directories by adjusting group ownership (see below). You can grant the webserver write access to docroot directory of a particular site for one hour from the panel ('Server Settings' -> 'Web Sites' and click the mws gears iconagainst the appropriate site). You may find this useful for systems like Wordpress where the web server can be used to install updates but needs write access to do so (n.b. you will need to have made the relevant files/directories within docroot group-writeable before using the mws gears icon facility described above).

Unix Groups

 

All Administrators and SSH-only users are automatically members of the 'site-admin' Unix group. They are also members of the 'www-data' group which additionally contains the Apache webserver user. The easiest way to make a file or directory writeable by the web server user is to set its group to 'www-data'.

You can also create additional groups of users as needed, perhaps to restrict access to some areas of the file system to particular users. Select the "Server settings" section on your site panel and then click "Unix groups". This will list any existing Unix groups that have been created by the site owners, and has a "Add a new Unix group" link. Selecting that takes you to the page for creating a new Unix group.

The name of the group can only contain capital letters. The membership of the group can be added one by one, and there is a built-in check using Lookup to help add the correct users. Only users in Lookup can be added.

 

mws_chmod and mws_chgrp



The Unix commands chmod and chgrp can only be applied to files
and directories the user owns. We have created two utiliities,
mws_chmod and mws_chgrp, that server administrators can use to
change the permissions or group of files and directories
(within a docroot directory) that they are not the owner of.

The full pathnames of these commands are
/usr/local/bin/mws_chmod and /usr/local/bin/mws_chgrp, and their use (like the commands chmod and chgrp) are:

/usr/local/bin/mws_chmod [-R] mode[,mode] path


and

/usr/local/bin/mws_chgrp [-R] group path

where the -R option will make the change recursively, including files and directories within any subdirectories of "path".

Examples:

Remove group-write from file "file1":

   /usr/local/bin/mws_chmod g-w file1


Make directory "dir1" and its contents group-writeable:

   /usr/local/bin/mws_chmod -R g+w dir1


Make file "file1" group site-admin:

   /usr/local/bin/mws_chgrp site-admin file1



Make directory "dir1" and its contents group www-data :  

 /usr/local/bin/mws_chgrp -R www-data dir1