Ownership inheritance of parent dir not working, only group 'apache' is applied

john12311 · June 3, 2024, 12:38pm

Ownership inheritance of parent dir not working, only group ‘apache’ is applied

Owner should be ‘apache’ but is ‘root’

OS: rocky linux 9, selinux - getenforce : Permissive

umask 002

umask:
-----
0002
-----

sudo mkdir /var/www/html/te && \
chown apache:apache -R /var/www/html/te && \
sudo chmod g+w /var/www/html/te && \
sudo chmod g+s /var/www/html/te && \
touch /var/www/html/te/testfile.txt

parent_directory: 
-------------------------
/var/www/html/te ownership- apache:apache / rwxrwsr-x '2775'
-------------------------

ls -al /var/www/html/te:
-------------------------
total 0
drwxrwsr-x. 2 apache apache 26 Jun  3 11:23 .
drwxrwsr-x. 3 apache apache 16 Jun  3 11:23 ..
-rw-rw-r--. 1 root   apache  0 Jun  3 11:23 testfile.txt
-------------------------

Please help!

Thank you

jlehtone · June 3, 2024, 12:55pm

That looks like "works as intended.

Each process has “owner” and “group”. By default, files created by process get that owner and group.
The group sticky bit (g+s) on directory changes that:

The group directory is used as group of file
If the new file is a directory, then it gets the group sticky bit

I don’t recall seeing owner being inherited – it definitely is not feature of the group sticky bit.

The owner ‘root’ on /var/www/html/te/testfile.txt tells that you did run
touch /var/www/html/te/testfile.txt as user root. If you were already root,
then why did you run other commands with sudo? (That would be redundant.)

john12311 · June 3, 2024, 1:19pm

Yes, I’m under the root account, so I suppose a few redundant ‘sudo’ commands don’t matter.

can someone advise me how to achieve that when creating or overwriting a file, the owner + group of the parent directory is inherited

I’m not sure if all the commands are correct

Currently only the ‘apache’ group is inherited and the owner remains ‘root’

The goal is to inherit the parent’s folder settings ‘apache:apache’ to all its new sub-files/folders

Thanks

iwalker · June 3, 2024, 1:24pm

The owner/user is correct. It will always be root, or “username”. The group sticky bit (g+s) means that the group assigned to the directory, and all members of that group can edit/amend the file. The username part is irrelevant and can be ignored. You would need to be the apache user, for that value/permission to change. For all other users a part of the group apache, will then ensure that it is always apache, irrespective of whoever edits it. Assuming that the group sticky bit was set.

john12311 · June 3, 2024, 1:31pm

thanks for the explanation sir, I originally thought that it was also necessary to change the owner to ‘apache’, to make it works correctly with apache server - read/write

jlehtone · June 3, 2024, 1:37pm

The Apache server process has owner ‘apache’ and group ‘apache’.
The directory has group ‘apache’ and that group can read and write,
so the Apache server process can read and write to that directory.

That is, by the POSIX permissions. The Apache server process is also
confined within “httpd” SELinux context, but if you do look at:

ls -lRZ /var/www/html

you should see that all files and directories within do have httpd_sys_content_t

system · August 2, 2024, 1:38pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.