Create files that both www-data and theuser can edit

permissionswebserver

I have a directory to store invoices – 

drwxrwxr-x  2 me www-data   49152 Sep  9 13:38 invoices

There are two applications that write files to this dir.

  1. PHP web application

    -rw-r–r– 1 www-data www-data 7681 Sep 9 13:38 invoice_1.html

  2. Python script

    -rw-rw-r– 1 me me 8911 Sep 4 06:04 invoice_2.html

Now I want to overwrite invoice_2.html from the web application. How do I do that?

I don't want to add www-data to me group. I don't know how but that will make my server vulnerable to security threats.

Help me out.

Thanks.

Best Answer

Two options (both carried out as root):

First

If you're happy to have me be a member of the www-data group:

Add the user me to the www-data group:

# usermod -a -G www-data me

Set the SetGID flag on the invoices directory:

# chmod g+s /<path>/<to>/invoices

Now, any files created in the invoices directory will have their group set to www-data (the group of the directory) due to the SetGID bit being set. As the user me is in this group, then the user will have permission to write to that file.

Second

If you don't want the user me to be a member of the www-data group, then...

Create a new group - invoices.

# groupadd invoices

Add the users me and www-data to this group.

# usermod -a -G invoices me
# usermod -a -G invoices www-data

Change the group of the invoices directory to this new group (invoices).

# chown .invoices /<path>/<to>/invoices

Make sure that the group invoices has write permission on the directory:

# chmod g+w /<path>/<to>/invoices

Set the SetGID flag on the invoices directory:

# chmod g+s /<path>/<to>/invoices

Now, the invoices directory will be owned by the invoice group and any files created within it will have their group set to invoices due to the SetGID bit being set on the directory. Both me and www-data have write permission as they are members of the invoices group which has this write permission.

Related Question