-
Notifications
You must be signed in to change notification settings - Fork 47
Home
Both nginx (the web server) and Tomcat (the servlet context that executes your Lucee CFML) need read permission on the files in your web root. In addition execute permission is needed to traverse or list directories on a linux file system.
The nginx web server runs as a user called www-data
by default. The www-data
user is a member of a group that is also called www-data
. Tomcat runs as a user called tomcat7
on Ubuntu LTS 14.04, and is also in a group called tomcat7
by default.
These setup scripts added the user tomcat7
to the www-data
group by running:
usermod -aG www-data tomcat7
Next it changes the ownership of the web root directory /web/
to be owned by the user root
and the group www-data
:
chown -R root:www-data /web
Then it sets permissions to 750, which equates to user=7=rwx
group=5=r-x
other=0=---
chmod -R 750 /web
This means that if you are not root
and you are not in the www-data
group you cannot view these files. You can add yourself to the www-data group to be able to read files on the web root.
This setup also means that Lucee cannot write files into the web root, if you have a folder that it needs to write to you can do that by making Lucee/tomcat7 the owner of the directory, for example:
chown -R tomcat7:www-data /web/example.com/www/images/uploads/
Important Note - if you have files above the web root (such as configuration files, certificates, keys, etc) that the web server should not have access to, but Lucee needs access to you can change ownership of such files to:
chown root:tomcat7 /web/example.com/conf/config.xml
chmod 740 /web/example.com/conf/config.xml
The default approach can work well in most cases, but if you want to have a group of users that can also edit the files in the web root it does not work as well.
If you make your /web/
file system world readable then you can have a group of local users that can modify the webroot, lets suppose you call this group webmasters
# create the webmasters group
groupadd webmasters
# add pete and andy to the group
usermod -aG webmasters pete
usermod -aG webmasters andy
# change ownership of webroot
chown -R root:webmasters /web
# grant permissions rwxrwxr-x
chmod -R 775 /web
With this approach the www-data
user (nginx) and tomcat7
user (Lucee) always have read permission, and so does any other user. Anyone in the webmasters group or root can modify files in the web root. If you wanted to give Lucee fill write access to the web root, you would just add tomcat7 to the webmasters group the same way we added pete and andy.
The log files for nginx are located in /var/log/nginx
users will need to be root, sudo or a member of the adm
(administrators) group to access the log files.
The tomcat logs will be located in /var/log/tomcat7
users will need to be root, sudo or a member of the adm
(administrators) group to access the log files.
The Lucee logs will be in /opt/lucee/config/server/lucee-server/context/logs
for the server context or /opt/lucee/config/web/{server-context-id}/logs
these directories are owned by tomcat7:tomcat7
If you are using MySQL, you can create users using the mysql_setpermission
command. For example:
mysql_setpermission --user root --password
This is a simple wizard that guides the creation of MySQL users, it makes it easy to create a user that only has SELECT
, INSERT
, UPDATE
, DELETE
permission on a given DB. It is also useful for creating other users for development use, or administration. Much easier than using the SQL commands.