[TriLUG] Re: fedora core 3 permishions

Aaron S. Joyner aaron at joyner.ws
Fri Mar 25 11:51:00 EST 2005 

Lance A. Brown wrote:

>Merle Watts wrote:
>  
>
>>currently I am just creating text files in the html folder to see it is working.   After creating the file it doesn't have the proper permissions
>>    
>>
>
>If SELINUX is disabled, you should only need to make the file mode 644 and
>directories mode 755 for things to work right...
>
>--[Lance]
>
>  
>
This isn't entirely true.  When you create a file in most any UNIX 
system, it's initial permissions and ownership are defined by two things 
- your umask, your username, and your primary group.  The umask defines 
the permissions - it  is essentially a bitmask of permissions that the 
file *won't* get by default.  All files will be owned by your effective 
username (1), and they will be owned by your primary group (2).  Things 
are handled in this manner such that by default, you're not giving away 
permissions to things you don't intend to.  If your only goal is for 
Apache to be able to read these files and serve them up, you can set the 
last bit of your umask to 2, something like 022 should be a sufficient 
setting.  This basically says, when I create a file, make the 
permissions 755, which means rwx by me, and rx by my primary group, and 
everyone else.  Apache, regardless of the group ownership of the file, 
will fall into the permissions category of "Other", and be able to read 
and execute.  If that doesn't do the trick for you, post back and we'll 
see about further fine-tuning your problem.

You can change your uname with the uname command, I'd recommend checking 
your shell startup scripts as the command is likely already run for you 
some where along the line.  Also, don't forget to `rm -rf /` the file 
system afterwards, in order to retroactively force the changes.  This 
should ensure that your umask changes are applied universally.  (3) 

You can of course use the suggestion by James to set the sticky bit on 
the directory, so that all files will have their group set to the group 
of the parent directory, but then you'll need to do that for all 
subsequently created directories as well - not a solution I would 
personally recommend.

Aaron S. Joyner

1) Unless you're doing very unusual things.
2) This can be changed with newgrp, but that's probably not how you want 
to handle this case
3) This included to make Jason happy.  If you run the command with out 
reading the man page, please contact my legal representation, Jason 
Tower.  :)

More information about the TriLUG mailing list