Nick Fletcher's picture

I just recently installed the LAMP version of Turnkey.  The issue I'm having is whenever a normal user logs into the file manager via Webmin and extracts a compressed file, the output is always owned by root.  I have Browse files as Unix user set in the backend but it doesn't seem to affect this issue.

Any ideas on what I can do this fix this?

Thanks

Forum: 
Drew Ruggles's picture

Why do you have "Normal" users using File Manager? File Manager is really meant for admins, like myself, who find more meaning in a graphical paradigm than a text based one.

Nick Fletcher's picture

I have multiple web developers that need to be able to login and extract and/or compress archives on the server since it can't be done via FTP.

Drew Ruggles's picture

Even if they are "Normal" users -- I don't consider web developers normal in any social context -- they will only have rw priviledges for the directories they have been give rights to. It doesn't matter if .gz is owned by root in that directory, as "user" won't be able to do "root priviledge" actions beyond the scope of their priviledged areas. What behavior are you trying to restrict to these users that is not already implemented?

Nick Fletcher's picture

I need them to be able to upload and extract archives, and then modify them in the directory I've given them RW access to, which is /var/www.  Does that make any sense?

Drew Ruggles's picture

Sounds like you're already there. So they upload a file, extract it, it has "root" as the owner, but "so what?" Can they continue to work...? I think they can.... So far, I'm not hearing anything that is preventing your devs from performing the activities you have described, based on File Manager extracting an archive as "root". Is it just a "gut instinct?" Because it could just be a "gut" feeling from hitting the Applebee's too hard...

Nick Fletcher's picture

They can't modify the extracted files because they're owned by root when you extract them in the file manager.  

Drew Ruggles's picture

File Manager > select directory above directory you want to change in the left panel. In the right panel, select the directory you want to change permissions for, then click the [ i ] button. Change ownership > {user} or {group}

Apply Changes to > This directory and all subdirectories

[Save]

e.g. screenshot (not real) -- be sure to have these actual users and groups

Jeremy Davis's picture

Because as Drew pointed out, Webmin is an server admin tool. I don't use it much so I may be wrong and perhaps what you want is possible but I don't think so.

Usermin may be more what you are after? I haven't used it myself, but from my understanding it allows users more limited access and actually uses Linux user accounts (and thus their credentials and permissions, rather than the root account of the server itself.

The workaround Drew posted should work fine, but other alternative ways to do what you want may be better options. IMO it's poor security practive to give users any more access than they need. Even if you limit the Webmin user's access to the File Manger, they still have root access to the whole filesystem! Not a good idea IMO. Even if you can trust them, mistakes can happen!

So (assuming I'm right about how it works) you could look at Usermin and setup a Linux user who is a member of the www-data (webserver) group. That way they will be able to upload/download/edit any files owned by www-data (assuming you set permissions that way) and all uploaded files will be owned by the user, but accessable by the webserver account (again assuming you set up users that way).

Other options are to use SFTP and create a new Linux user (as I discussed above) and set their home folder as the /var/www folder. Or another option could be to install Samba and make /var/www a Windows share.

If you want to look at these other options and need a hand setting them up I'm happy to help out (although it'd be the blind leading the blind if you want to go the Usermin route).

Nick Fletcher's picture

I liked the Samba approach, so I tried it and it works exactly how I need it to.  I didn't really realize how silly it was to try and have them use Webmin since it's really only for the server admin.  Big thanks Drew & Jeremy.

Add new comment