I have a directory to store invoices –
drwxrwxr-x 2 me www-data 49152 Sep 9 13:38 invoices
There are two applications that write files to this dir.
-
PHP web application
-rw-r–r– 1 www-data www-data 7681 Sep 9 13:38 invoice_1.html
-
Python script
-rw-rw-r– 1 me me 8911 Sep 4 06:04 invoice_2.html
Now I want to overwrite invoice_2.html from the web application. How do I do that?
I don't want to add www-data
to me
group. I don't know how but that will make my server vulnerable to security threats.
Help me out.
Thanks.
Best Answer
Two options (both carried out as
root
):First
If you're happy to have
me
be a member of thewww-data
group:Add the user
me
to thewww-data
group:Set the SetGID flag on the
invoices
directory:Now, any files created in the
invoices
directory will have their group set towww-data
(the group of the directory) due to the SetGID bit being set. As the userme
is in this group, then the user will have permission to write to that file.Second
If you don't want the user
me
to be a member of thewww-data
group, then...Create a new group -
invoices
.Add the users
me
andwww-data
to this group.Change the group of the
invoices
directory to this new group (invoices
).Make sure that the group
invoices
has write permission on the directory:Set the SetGID flag on the
invoices
directory:Now, the
invoices
directory will be owned by theinvoice
group and any files created within it will have their group set toinvoices
due to the SetGID bit being set on the directory. Bothme
andwww-data
have write permission as they are members of theinvoices
group which has this write permission.