26 Jan, 2009, Zeno wrote in the 1st comment:
Votes: 0
Using Joomla (a CMS) to upload files (built in web form upload), they get uploaded as owned by "apache" and group "apache" (which is normal, as defined by httpd.conf).

Joomla was installed and 'running' under the user directory "bob" where all the files are owned and group owned by "bob".

But "bob" cannot touch these new files uploaded by Joomla, although he needs to (say installed a template in Joomla and wants to edit the template).

What's the best possible way of handling this? I tried group perms:

I have this in the group file:
apache:x:48:bob


Say here's a file uploaded by Joomla Media Manager:
-rw-r–r– 1 apache apache 16155 Jan 26 16:00 menucafe_sandwich.jpg

Quote
[bob@server images]$ chown bob menucafe_sandwich.jpg
chown: changing ownership of `menucafe_sandwich.jpg': Operation not permitted


bob needs to be able to access/edit any files like this without root interfering.
26 Jan, 2009, David Haley wrote in the 2nd comment:
Votes: 0
Set the directory that files get uploaded to to the right permissions – presumably owned by bob, group apache – and then set the directory to set the owner id on execution so that new files have the right permissions.

chmod -R +s <upload dir>

-R does it recursively on all files that are already in there.
26 Jan, 2009, Zeno wrote in the 3rd comment:
Votes: 0
Quote
chgrp -R apache images
chmod -R +s images

drwsr-sr-x  6 bob  apache  4096 Jan 26 16:00 images

-rw-r-Sr– 1 apache apache 16155 Jan 26 16:00 menucafe_sandwich.jpg


Quote
[bob@server images]$ chown bob menucafe_sandwich.jpg
chown: changing ownership of `menucafe_sandwich.jpg': Operation not permitted


Did I do something wrong?
26 Jan, 2009, David Haley wrote in the 4th comment:
Votes: 0
You'll have to chown bob:apache as root the first time around, or delete the file as root and then reupload. Bob can't change the file's owner.
26 Jan, 2009, Zeno wrote in the 5th comment:
Votes: 0
Deleted file.

Uploading using Joomla:
Quote
* Warning: Failed to move file!
* Error. Unable to upload file.

Made folder 777. Uploaded file.
-rw-r–r– 1 apache apache 16155 Jan 26 17:02 menucafe_sandwich.jpg

Quote
[bob@server images]$ chown bob menucafe_sandwich.jpg
chown: changing ownership of `menucafe_sandwich.jpg': Operation not permitted
26 Jan, 2009, David Haley wrote in the 6th comment:
Votes: 0
By making the folder 777, you removed the +s bit. Add it back, then make the folder owned by bob, then make it group writable, then delete the file and try again.

EDIT:
the problem being that when you changed it to be owned by bob, user apache could no longer write there, because the dir was owned by bob, and group-unwriteable.
26 Jan, 2009, Zeno wrote in the 7th comment:
Votes: 0
Added the +s back, folder is already owned by bob, g+x on images, deleted file.
drwsr-sr-x  6 bob  apache  4096 Jan 26 17:12 images


Permission issues in Joomla when trying to reupload:
Quote
* Warning: Failed to move file!
* Error. Unable to upload file.
26 Jan, 2009, David Haley wrote in the 8th comment:
Votes: 0
At the risk of being repetitive :tongue:
DavidHaley said:
Add it back, then make the folder owned by bob, then make it group writable,

DavidHaley said:
user apache could no longer write there, because the dir was owned by bob, and group-unwriteable.
26 Jan, 2009, Zeno wrote in the 9th comment:
Votes: 0
Which is where I'm confused at. :P
I did g+x thinking it was to do that, but now I know that isn't right. Using numbers like 771 removes the +s
26 Jan, 2009, David Haley wrote in the 10th comment:
Votes: 0
chmod g+w images

g –> group permissions
+w –> add write permissions (for group, in this case)

don't just do +w, because that means everybody can write (which is probably not what you want)
26 Jan, 2009, Zeno wrote in the 11th comment:
Votes: 0
Done.
drwsrws–x  6 bob  apache  4096 Jan 26 17:30 images


Re-uploaded file.
Quote
[bob@server images]$ chown bob menucafe_sandwich.jpg
chown: changing ownership of `menucafe_sandwich.jpg': Operation not permitted

-rw-r–r– 1 apache apache 16155 Jan 26 17:30 menucafe_sandwich.jpg
26 Jan, 2009, David Haley wrote in the 12th comment:
Votes: 0
Delete the file, and then as any user with write permissions, please do: touch foo
and then ls -l foo

When I do this it works.

$ mkdir foo
$ ls -ld foo
drwxr-xr-x 2 david david 4096 2009-01-26 17:36 foo/
$ chown david:media foo
$ chmod g+w foo
$ chmod +s foo
$ ls -ld foo
drwsrwsr-x 2 david media 4096 2009-01-26 17:36 foo/
$ touch foo/davids_file
$ sudo -u aurelie touch foo/aurelies_file
$ ls -l foo/
total 0
-rw-r–r– 1 aurelie media 0 2009-01-26 17:36 aurelies_file
-rw-r–r– 1 david media 0 2009-01-26 17:36 davids_file
$

… all of which are the expected results.
26 Jan, 2009, Zeno wrote in the 13th comment:
Votes: 0
foo being what? The dir? touch images?

Deleted file, touched images, uploaded file. Tried chmod on file: perm denied, touched images, chmod file: perm denied, touch file: perm denied.
27 Jan, 2009, quixadhal wrote in the 14th comment:
Votes: 0
I usually set my upload directory permissions to:

chmod 6775 uploads

The 6 sets the sticky bits for group AND user, meaning anything created under it will acquire both group and owner permissions of the directory. 775 makes it writeable by the owner and the group, but not the general public.

Odds are pretty good that your web server is running as group apache, so IT has to have write permission to the folder, and so does the owner himself (if he wants to do anything outside the web server).

If you're sharing across multiple people on the same web server, you might need to make setuid upload scripts for that user that will work around apache's group, since making it writeable by all web accounts probably isn't what you want.

Alternately, there might be a module for apache that lets you do more sophisticated user/group permissions…
27 Jan, 2009, Zeno wrote in the 15th comment:
Votes: 0
6775 on the folder still dosn't let bob do anything with files inside that folder though.
27 Jan, 2009, David Haley wrote in the 16th comment:
Votes: 0
The folder has to be owned by user bob, or by a group that bob is a member of. If bob is the user owner, the user permissions must be set to user read-write. If bob is in an owner group, the group permissions must be read-write. Additionally the directory must be u+x or g+x as appropriate so that bob can chdir into it.

In my above example, 'foo' was the upload directory ('images' in your case) and the touched files are the uploaded things. I was running as user david, so the directory was initially owned by david:david, until I chowned it to david:media (the user 'david' being in group 'media').
27 Jan, 2009, Zeno wrote in the 17th comment:
Votes: 0
$ mkdir foo
$ ls -ld foo
drwxr-xr-x 2 david david 4096 2009-01-26 17:36 foo/
$ chown david:media foo
$ chmod g+w foo
$ chmod +s foo
$ ls -ld foo
drwsrwsr-x 2 david media 4096 2009-01-26 17:36 foo/
$ touch foo/davids_file
$ sudo -u aurelie touch foo/aurelies_file
$ ls -l foo/
total 0
-rw-r–r– 1 aurelie media 0 2009-01-26 17:36 aurelies_file
-rw-r–r– 1 david media 0 2009-01-26 17:36 davids_file
$


Okay so trying that exactly:
# chown bob:apache images
# chmod g+w images
# chmod +s images
# ls -ld images
drwsrwsr-x 6 bob apache 4096 Jan 27 12:50 images
# touch images/cisco-logo.gif
# sudo -u bob touch images/cisco-logo.gif
touch: cannot touch `images/cisco-logo.gif': Permission denied
27 Jan, 2009, David Haley wrote in the 18th comment:
Votes: 0
Which user are you doing all of that as? What are the current contents of 'images'? Can you try logging in as 'bob' (sudo -u bob bash), chdir to the directory, and then 'touch cisco-logo.gif'?
27 Jan, 2009, Zeno wrote in the 19th comment:
Votes: 0
Was doing that as root.
Images:
total 312
-rwSr-Sr– 1 bob apache 1352 Nov 10 19:24 apply_f2.png
-rwSr-Sr– 1 bob apache 1648 Nov 10 19:24 archive_f2.png
-rwSr-Sr– 1 bob apache 1620 Nov 10 19:24 back_f2.png
drwSrwsr-x 2 bob apache 4096 Nov 10 19:26 banners
-rwSr-Sr– 1 bob apache 151 Nov 10 19:24 blank.png
-rwSr-Sr– 1 bob apache 564 Nov 10 19:24 cancel.png
-rw-r–r– 1 apache apache 3039 Jan 27 14:13 cisco-logo.gif
-rwSr-Sr– 1 bob apache 1776 Nov 10 19:24 css_f2.png
-rwSr-Sr– 1 bob apache 1719 Nov 10 19:24 edit_f2.png
-rw-r–r– 1 apache apache 100322 Jan 26 18:02 geltrac.png
-rwSr-Sr– 1 bob apache 1744 Nov 10 19:24 html_f2.png
-rwSr-Sr– 1 bob apache 44 Nov 10 19:24 index.html
-rwSr-Sr– 1 bob apache 7200 Nov 10 19:24 joomla_logo_black.jpg
-rwSr-Sr– 1 bob apache 190 Nov 10 19:24 menu_divider.png
drwsr-sr-x 2 bob apache 4096 Nov 10 19:26 M_images
-rwSr-Sr– 1 bob apache 1655 Nov 10 19:24 new_f2.png
-rwSr-Sr– 1 bob apache 2560 Nov 10 19:24 powered_by.png
-rwSr-Sr– 1 bob apache 1699 Nov 10 19:24 preview_f2.png
-rwSr-Sr– 1 bob apache 1800 Nov 10 19:24 publish_f2.png
-rwSr-Sr– 1 bob apache 698 Nov 10 19:24 save.png
drwsr-sr-x 2 bob apache 4096 Nov 10 19:26 smilies
-rwSr-Sr– 1 bob apache 202 Nov 10 19:24 sort_asc.png
-rwSr-Sr– 1 bob apache 201 Nov 10 19:24 sort_desc.png
drwSrwsr-x 4 bob apache 4096 Jan 26 14:48 stories
-rwSr-Sr– 1 bob apache 1525 Nov 10 19:24 unarchive_f2.png
-rwSr-Sr– 1 bob apache 1658 Nov 10 19:24 upload_f2.png


Logged in as bob:
[bob@server images]$ touch cisco-logo.gif
touch: cannot touch `cisco-logo.gif': Permission denied
27 Jan, 2009, David Haley wrote in the 20th comment:
Votes: 0
Quote
-rw-r–r– 1 apache apache   3039 Jan 27 14:13 cisco-logo.gif

Well… err… that's your problem. It exists already, owned by somebody else, and isn't group writable… so you couldn't ever touch it as user bob.
0.0/30