什么是权利所有权?对CakePHP应用程序/ tmp文件夹的生产权限? [英] What are the right ownership & permissions to the CakePHP app/tmp folder for production?
问题描述
我想知道以下问题的答案和解释:
-
哪个用户/群组应该拥有该蛋糕文件?
-
如果不同,用户/组应该拥有
app / tmp文件夹? (和子文件夹) -
对于正确的用户/组,对生产
-
上传文件的存储位置以及需要设置到该文件夹的所有权/权限。应该是相对于
app /?
知道777修复错误,但我想正确设置。
我听说过,如果一切都正确设置,我认为660应该已经足够了。
谁需要读访问,谁需要写访问,并且任何人都需要执行?
>注意:我认为我已经找到答案,因为没有人写了一个很好的答案,我会写它。如果你对这个主题更了解,看到错误或安全问题,请让我知道,我会纠正他们。 / em>
1)CakePHP所有权
CakePHP文件应该归您所有,机器的用户(无论您登录)。 > johnsmith 部分 / Users / johnsmith
Linux: johnsmith 部分 / home / johnsmith
2)app / tmp所有权。
根据CakePHP 文档:
.. 。确保
蛋糕安装中的目录app / tmp及其所有子目录都是可由web服务器用户写入的。
选项1:
用户所有者需要是apache的用户。组所有者可以是您所属的组,以便您也可以通过finder / CLI访问此文件夹。 > Apache最近预装在OSX上,apache的默认用户是 _www 。但是如果你不确定你可以通过输入terminal ps aux |找到它apache运行时调用grep httpd 。最后一行是你刚刚输入的命令,所以看看它上面。
现在你知道你的apache用户,你必须将它分配给 app / tmp / 。您使用以下命令执行此操作: sudo chown -R _www app / tmp /
linux上的默认用户通常是 www-data ,组中包含 www-data 。如果您不确定,请使用 ps aux | grep httpd 找到用户和 sudo chown -R _www app / tmp / 将所有权分配给该文件夹的apache。
选项2:
您可以将自己设为使用者拥有者,但将群组拥有者设为群组那个apache属于。默认情况下,apache有它自己的组,但是你可以创建一个新的组并添加apache。
OSX: OSX上的apache组默认与用户相同: _www 。然后,您必须运行以下命令来查看所有权: sudo chown -R:_www app / tmp / 。现在,如果您使用 ls -l </ code>检查权限,您应该会看到您的用户名( johnsmith )和新的群组所有者 - _www 。
Linux:* 默认情况下, c $ c> www-data ,所以使用相同的命令更改所有权: sudo chown -R:www-data app / tmp / 。
注意:Debian / Ubuntu使用 www-data ,而CentOS使用 apache 。
3)权限
对于要运行的网站,apache需要读取和写入 > execute 。要访问它(假设您在拥有 app / tmp 的组中),您还需要读和写,如果你将手动编辑终端/查找器的东西。所有其他用户应该没有任何权利。所以:
OSX& Linux: sudo chmod -R 660 app / tmp / 。 -R 部分是对所有内部文件夹递归。第一个 6 适用于用户所有者(OSX: _www 或Linux: www-data ),第二个 6 是组所有者(OSX: staff johnsmith ), 0 适用于所有其他用户/ guest。
注意:根据 CakePHP的这个pull请求,看起来像CakePHP 2.4将有能力创建子文件夹在 app / tmp / 中,表示需要 7 而不是 6 为用户现在变为 760 。
4)上传文件夹
文件,您需要为 img / uploads 文件夹或您上传的任何地方进行类似的设置。所有权将是相同的,但权限需要具有重命名用途和文件夹创建的执行权限。因此以前 660 现在应为 760 。此外,理想情况下,上传文件位于 webroot / 目录中,需要绝对路径。
I would like to know the answers and explanation to the following questions:
Which user/group should own the cake files?
If different, which user/group should own the
app/tmpfolder? (and subfolders)With the right user/group, what are the correct permissions for production of both folders and files? (which also if set correctly should work on development)
Where is storing of uploaded files done and what ownership/permissions need to be set to that folder. Where should it be relative to
app/?
I know 777 fixes errors, but I would like to set it up correctly.
I have heard 660 should be more than enough for production if everything is correctly set up.
Who needs to have read access, who needs to have write access and does anyone need execute?
NOTE: I think I have found the answers and since no one has written a good answer, I will write it.If you are more knowledgeable on the topic and see errors or security issues please let me know, I will correct them.
1) CakePHP ownership
The CakePHP files should be owned by you, the user of the machine (whatever you log in with). Do not have root as owner!
OSX: the johnsmith part of /Users/johnsmith
Linux: the johnsmith part of /home/johnsmith
2) app/tmp ownership.
As per CakePHP documentation:
...make sure the directory app/tmp and all its subdirectories in your cake installation are writable by the web server user.
Option 1:
The user owner needs to be apache's user. The group owner can be the group that you belong to, so that you also have access to this folder through finder/CLI. Do not have root as owner!
OSX: Apache is preinstalled on OSX lately and the default user of apache is _www. However if you are not sure you can find it out by typing terminal ps aux | grep httpd while apache runs. The last line is the command you just typed, so look above it.
Now that you know your apache user, you have to assign it to app/tmp/. You do this with the following command: sudo chown -R _www app/tmp/
Linux: The default user on linux is usually www-data with group www-data. If you are not sure, use ps aux | grep httpd to find out the user and sudo chown -R _www app/tmp/ to assign ownership to apache of that folder.
Option 2:
You can keep yourself as the user owner, but you set up the group owner to be the a group that apache belongs to. By default apache has it's own group, but you could create a new group and add apache to it.
OSX: The group of apache on OSX by default is the same os the user: _www. You then have to run the following command to se up the ownership: sudo chown -R :_www app/tmp/. Now if you check the permissions with ls -l you should see both your username (johnsmith) and the new group owner - _www.
Linux:* By default the group of apache is www-data so use the same commands to change ownership: sudo chown -R :www-data app/tmp/.
NOTE: Debian/Ubuntu use www-data, while CentOS uses apache.
3) Permissions
For the site to run, apache needs read and write without execute. For you to access it (assuming you are in the group that owns app/tmp) you also need read and write if you will edit manually things with terminal/finder. All other users should have no rights whatsoever. So:
OSX&Linux: sudo chmod -R 660 app/tmp/. The -R part is to do it recursively for all inside folders. The first 6 is for the user owner (OSX:_www or Linux:www-data), the second 6 is for the group owner (OSX:staff or Linux: johnsmith), the 0 is for all other users/guests.
NOTE: According to this pull request for CakePHP it looks like CakePHP 2.4 will have ability to create subfolders in app/tmp/ which means it will need a 7 instead of 6 for the user now becoming 760.
4) Uploads folder
If you want to upload files, you need a similar setup for the img/uploads folder, or wherever you upload. The ownership will be the same, but the permissions need to have execute rights for renaming purposes and folder creation. so the previously 660 should now be 760. Also, ideally, the uploads are out of the webroot/ directory, for which an absolute path is required.
这篇关于什么是权利所有权?对CakePHP应用程序/ tmp文件夹的生产权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
