Learning about permissions in Linux

Last modified 2 years, 128 days ago

So one of the things this website is supposed to do is automatically be updated when I push changes to it on GitHub. This is something I’ve had some success and some failure with in the past. Most recently, I’ve improved the security of this website by running it as a regular user (www-data) instead of as root.

Yea, that’s right, I used to run this website as a root process. Those of you who know anything about security within Linux know exactly how terrible an idea that is. Speaking which of, I should formalize the process to move this to a new server. I have most things automated, but not entirely. That’s for another story.

This is just a brief sharing of the things I learned or was reminded of while working on the site tonight.

Content-type

I have a couple of posts on here with URLs ending in .txt, which has led to NGINX incorrectly assuming they should be served as plain text when they are HTML files, that are supposed to show up just like this post is. Fortunately, in the return statement of a Lapis route, you can specify the Content-type header manually. content_type: "text/html; charset=utf-8" and now that works correctly.

Why can’t www-data run ‘git pull origin’?

I may have not actually solved this, but what I have done is allow www-data to log into a shell. Specifically, the command chsh -s /bin/bash www-data achieved this. After that, I logged into a shell as www-data (realizing that sudo -i -u USER and sh -l USER are the same thing I think) and ran the process. No problem!

So then, the next step would be lapis build production, which led to an error about not allowing the kill command to be used. I figured this might be because while the NGINX process is running as a user, it is being started by root as part of the service I have set up to automatically turn on my server after the hardware is rebooted. So I shut down the service and ran it again from the www-data user. Everything works! So a bit of Googling, and I find that under the [Service] section of a .service file, I should put User=www-data to make sure the service is running as that user.

And now, things should be working. I still have to test that an update can be pushed automatically, but I will get to that as I work on other things. Like updating the parts of the site that still aren’t using the new theme/system.

Originally published January 26, 2018

Previous Post Next Post