我的用户不能添加,修改或删除没有sudo的Apache / PHP文件。
我的环境是:
我的用户已经在Apache的组:
$ id uid=1000(lmeza) gid=1000(lmeza) groups=1000(lmeza),10(wheel),48(apache) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Apache的Webroot已经有了标签httpd_sys_content_t
$ ls -Z /var/www drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 html
我有一个标签为httpd_sys_rw_content_t的目录,但我不能写在他身上:
$ ls -lahZ /var/www/html drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 modules $ touch /var/www/html/modules/abc.txt touch: cannot touch '/var/www/html/modules/abc.txt': Permission denied
正确获取文件访问控制列表:
$ getfacl /var/www/html getfacl: Removing leading '/' from absolute path names # file: var/www/html # owner: apache # group: apache # flags: -s- user::rwx user:apache:rwx group::rx group:apache:rwx mask::rwx other::rx default:user::rwx default:user:apache:rwx default:group::rx default:group:apache:rwx default:mask::rwx default:other::rx
build立适用于CentOs 7的SELinux和ACL权限的正确方法是:
# Restablish the SELInux context: sudo restorecon -Rv /var/www/html # Change the owner of the webroot: sudo chown -R apache:apache /var/www/html # Change basic permissiones: sudo chmod -R g+w /var/www/html sudo chmod g+s /var/www/html # Establish SELinux permissions: sudo chcon -Rt httpd_sys_content_t /var/www/html sudo chcon -Rt httpd_sys_rw_content_t /var/www/html/modules # Establish ACL permissions: sudo setfacl -R -mu:apache:rwx /var/www/html sudo setfacl -R -md:u:apache:rwx /var/www/html sudo setfacl -R -mg:apache:rwx /var/www/html sudo setfacl -R -md:g:apache:rwx /var/www/html
Drupal 8的完整脚本在下一个Gist上: https : //gist.github.com/merolhack/854c3d371f31b21fb6cb538fe02a0444