Skip to content

Home

Jump to bottom Edit New page
Pete Freitag edited this page Aug 13, 2015 · 4 revisions

Users and File Permissions

Both nginx (the web server) and Tomcat (the servlet context that executes your Lucee CFML) need read permission on the files in your web root. In addition execute permission is needed to traverse or list directories on a linux file system.

The nginx web server runs as a user called www-data by default. The www-data user is a member of a group that is also called www-data. Tomcat runs as a user called tomcat7 on Ubuntu LTS 14.04, and is also in a group called tomcat7 by default.

These setup scripts added the user tomcat7 to the www-data group by running:

usermod -aG www-data tomcat7

Next it changes the ownership of the web root directory /web/ to be owned by the user root and the group www-data:

chown -R root:www-data /web

Then it sets permissions to 750, which equates to user=7=rwx group=5=r-x other=0=---

chmod -R 750 /web

This means that if you are not root and you are not in the www-data group you cannot view these files. You can add yourself to the www-data group to be able to read files on the web root.

This setup also means that Lucee cannot write files into the web root, if you have a folder that it needs to write to you can do that by making Lucee/tomcat7 the owner of the directory, for example:

chown -R tomcat7:www-data /web/example.com/www/images/uploads/

Important Note - if you have files above the web root (such as configuration files) that the web server should not have access to, but Lucee needs access to you can change ownership of such files to:

chown root:tomcat7 /web/example.com/conf/config.xml

A more flexible but less secure file permission setup

The default approach can work well in most cases, but if you want to have a group of users that can also edit the files in the web root it does not work as well.

If you make your /web/ file system world readable then you can have a group of local users that can modify the webroot, lets suppose you call this group webmasters

# create the webmasters group
groupadd webmasters
# add pete and andy to the group
usermod -aG webmasters pete
usermod -aG webmasters andy
# change ownership of webroot
chown -R root:webmasters /web
# grant permissions rwxrwxr-x 
chmod -R 775 /web

Accessing log files

The log files for nginx are located in /var/log/nginx users will need to be root, sudo or a member of the adm (administrators) group to access the log files.

The tomcat logs will be located in /var/log/tomcat7 users will need to be root, sudo or a member of the adm (administrators) group to access the log files.

The Lucee logs will be in /opt/lucee/config/server/lucee-server/context/logs for the server context or /opt/lucee/config/web/{server-context-id}/logs these directories are owned by tomcat7:tomcat7

Add a custom footer
Add a custom sidebar
Clone this wiki locally