When I started this blog one request I had from @neilcrookes was to share a few tidbits in the world of system administration. Let me caveat this straightaway I’m definitely no sys admin, but over the years I’ve picked up a few tips and tricks which help us developers do common tasks on a web server. Hopefully what I present here is a secure solution to an issue, but if it isn’t secure please correct my knowledge in the comments!
Problem: How to delete files owned by the web server user from the command line?
If you have files created by scripts on a webserver they are often created as the user running the web server, in most cases apache (or maybe www-data). To achieve this I often transfer the ownership of the directory where the files need to be created to the user apache:
chown -R apache:apache cache
This works well but presents an issue if you need to delete these files manually. If you have root access, great you can login as that user and delete the files, however the web site files should not be owned by root already they should be owned by a different user, and you should probably be doing any work on these files as the user they are owned by and not root!
So lets say you are running a deployment script and want to delete cache files as part of that deployment. The user you are running the deployment script as isn’t root so doesn’t have permission to delete the files owned by apache :-( You could run the deployment, switch to the root user then delete the files, but this is long winded, and probably requires the root password. What I really want to be able to do is delete those files owned by apache as the user running the script.
So in summary what I want is:
Delete files only owned by apache when running as another user (not root).
Note: This is a guide from a CentOS server, YMMV on other Linux distros. I am also assuming some level of bash commandline fu from anyone reading this guide.
On most systems there is a command ‘sudo’ which lets you run commands at an elevated permissions level. What you can do is determine what can be done by a user by editing a config file called sudoers (/etc/sudoers). To do this you need to be root and use the program ‘visudo’ (/usr/sbin/visudo), it is based on ‘vi’ so you need to know how to use vi to edit it. There is a lot you can do in the sudoers file which I won’t go into but in order to to allow the user alastairb to delete files owned by apache add the following two lines to the sudoers file.
Runas_Alias WWW = apache alastairb ALL = (WWW) NOPASSWD: /bin/rm
Substitute ‘apache’ for your web server user i.e. www-data and ‘alastairb’ for your shell user. Save the file (if you have any syntax errors they will be reported). Now you can delete files owned by apache by issuing the following command:
sudo -u apache rm [file]
The important bits are the Runas_Alias and the (WWW), this specifies that the command can only be run as the apache user. Without this you could elevate permissions to delete any file owner by any user which is definitely not a good thing!