aws elastic beanstalk permissions and ownership.

[ajoo]

Hi all !

 

I have launched my project using the aws EB CLI and its installed as desired.

 

After the installations I needed to change the folder and file permissions and so I logged into the EC2 instance using putty ( I have not yet explored the configuration files enough to set the permissions from there ), as ec2-user and found my project under var/app/current symlinked to the HTML folder.

 

Further all my folders and files under the current folder have the user : group set as webapp : webapp. Now I am not sure what this webapp is but i guess its a user that was created by the elastic beanstalk. 

 

Here is my working project structure on my VM. All folders have user:group as ec2-user : apache and the permissions of each folder are as labelled:

 

|--project(root) ---- index.php 

|  775                     644

|

|--hidden(below root) --- scripts (710)

|    710                       ---  includes (710)

|                                 ---- images ----image1.png (660)

|                                      (730)     ----image2.png (660)

|

 

When I set the permissions same as above in the EC2 instance, My hidden folders become inaccessible. I guess this is because of the wrong user:group settings.

 

So how do I set the correct ownership and settings with the aws elastic beanstalk to make this work with the settings that I have mentioned above.

 

Thanks all !

Edited September 28, 2017 by ajoo

[requinix]

Inaccessible to what? Or rather, who?

[ajoo]

Hi requinix, 

 

Thanks for the response. Well the application needs to have access to it. For example it requires the image and other data to, say, repopulate the forms so that they may be edited and saved again. So i guess that ( fetching information and storing it ) would be handled by apache. (That's what I think!) Only valid logged in users have access to the forms.  

 

Hope that helps.

[requinix]

For normal access, a process needs read (4) on files and read+execute (5) on directories. If everything is owned by ec2-user:apache then Apache will be using the group permissions, so given

|--project(root) ---- index.php 
|  775                     644
|
|--hidden(below root) --- scripts (710)
|    710                       ---  includes (710)
|                                 ---- images ----image1.png (660)
|                                      (730)     ----image2.png (660)

Apache will be able to use everything under the project root but won't be able to access scripts or includes.

[ajoo]

hmm ! Are you saying that if everything is owned by ec2-user:apache, then with the values given, apache will not be able to read the scripts and includes ?? !

 

if so, then how come it works just great on my VM?! no issues at all there. Or am I reading your reply incorrectly?

 

Thanks !

[requinix]

Are the ownership and permissions the same there? Is Apache also running as the apache group?

[ajoo]

i'll check and revert shortly. 

 

Thanks !

[ajoo]

Hi requinix, 

 

Sorry for the delay. Unfortunately, I have lost my instances that ran with these permissions. I had actually run this on an ec2 instance on AWS.

 

However I had taken their screen shots and so I can confirm that my project ran with the same ownership and  permissions as above and ran great with no issues and user : apache was running as the ubuntu : www-data group. 

 

I have hunted the EB console but could not find any user webapp defined anywhere by the EB. Nor could I find any group with that name. I thought if I could find them I would have changed them there but i am quite sure the changes have to be effected via the configuration files. I am also not sure if I would need to define a user before I can make any changes. By default the user is ec2-user when I log in using putty. I wonder what's the right way and sequence to follow to make these changes.

 

Thank you.

[requinix]

Last time you had ubuntu:www-data and this time you have ec2-user:apache? No offense but I don't think everything is, in fact, the same as last time. And I'm not just talking about the names.

 

The "webapp" user may have been created by CodeDeploy, I don't know - a quick Google search didn't turn up anything helpful.

 

Whatever users and groups are involved, making the system work is simply a matter of making sure the right permissions are set: if the file ownership user matches the Apache user then the user permissions matter, or if the ownership group matches one of the Apache user's groups then the group permissions matter, otherwise the other permissions matter. Whichever it is needs read for files and read+execute for directories.

[gizmola]

ec2-user is a standard user for ec2 instances. You should not use that user for anything, as it is essentially root equivalent. What I mean by that, is that user is setup with the key for the instance, and is able to sudo without a password.

 

With EB, the user who owns your php app is indeed webapp. Once you get into your instance you can change to that user from ec2-user using sudo su - webapp and tweak permissions if you must.

 

In summary, you should not attempt to change the file ownership of your project. That is managed by EB. If you need to tweak a directory perm, su to webapp.

[ajoo]

Hi requinix and gizmola, 

 

Thanks for the responses !

 

@requinix : 

 

 

Last time you had ubuntu:www-data and this time you have ec2-user:apache?

That's correct. Actually I try out things locally on a VM ( ubuntu : www-data) and in this case I had tried the permissions on Amazon linux too (ec2-user:apache). Unfortunately I lost the VM and the EC2 instance on AWS as well since I keep trying out different things. However I had retained the permissions snapshots of my VM which I have and which I checked and confirmed that they were indeed the same as I have labelled them in my earlier replies.

 

@Gizmola :

 

 

In summary, you should not attempt to change the file ownership of your project. That is managed by EB. If you need to tweak a directory perm, su to webapp. 

 

That's the dilemma ! whether I should change the ownership and permission here or not. 

WWW_USER=`ps axo user,group,comm | egrep '(apache|httpd)' | grep -v ^root | uniq | cut -d\  -f 1` 

gives me the apache user as webapp

 

while 

WWW_GROUP=`ps axo user,group,comm | egrep '(apache|httpd)' | grep -v ^root | uniq | cut -d\ -f 2` 

gives me a blank ! Why doesn't this show the group as webapp as does the following command?

groups webapp webapp : webapp

groups ec2-user wheel

shouldn't webapp group too be listed by the groups command ? Why isn't there an apache group as well?

 

So what is the right approach to change the permissions now? 

 

Thanks all !

[gizmola]

You are running shell scripts that set environment variables for some reason. Maybe these are ubuntu things, but they aren't important to the basic workings of the system unless there is something happening in the apache startup script. I personally use amazon linux for all my ec2 instances, since they insure it works well with ec2 and they come preconfigured with package repos maintained and tested by amazon.

 

At any rate, what I feel is the best practices in this situation is that you have a separate user|group combination for apache. However, apparently that is webapp currently, so I would not look into trying to change it. Check your apache httpd.conf file (should be somewhere in /etc or a directory underneath it) and see who the user/group is.

 

To check out the entry for webapp, cat the /etc/passwd file and see what the entry for the webapp user is. I don't know why there wouldn't be a group there.

 

In the apache httpd.conf file there is an entry for the user/group apache will run as. That should be webapp in this case.

 

User webapp
Group webapp

[ajoo]

Hi Gizmola,

 

 

 

However, apparently that is webapp currently, so I would not look into trying to change it.

 .  That's correct and I was loth to change it.    

 

 

 

 

In the apache httpd.conf file there is an entry for the user/group apache will run as. That should be webapp in this case.

 

 .  I did find the webapp user and group there. 

 

So would the webapp user also belong to the apache group ? Else how would webapp be serving pages ! right ?! if so, doesn't that go against what was suggested by Guru Jacques in this old thread of mine in #2? 

 

Thanks loads !

[gizmola]

The webapp user doesn't need to belong to the apache group if apache is running as webapp.  All the ownership should be fine.

[ajoo]

Hi Requinix and Gizmola, 

 

Thanks loads for your inputs.

 

Gizmola you were right about not changing the default ownership.

 

My permissions, as depicted in the mails above worked as is though i could not pin point the reason for their not working initially. There was probably some error on my part. 

 

Thank you both for the replies !