Any webserver Admins here? How should I setup permissions for my CodeMirror tool?

I’m in the process of building a PHP editor using code mirror. I’m confused as to how I should up the permissions on Ubuntu-server 16.04LTS.

My goal is to be able to use this PHP editor to build and extend my websites from the browser itself (thus my only need for work will be the browser). I’m a novice when it comes to Ubuntu, I know enough to be dangerous. My understanding is that I want the permissions of my /var/www/html directory to be writable by the user that runs apache and php, that’s www-data right? So If I chown and chgrp of /var/www/html to www-data and set the permissions to 664 that should give me what I need?

Any tips in the right direction are greatly appreciated. Thank you.

Almost - it’s not re permissions of the root only, but the ‘target’ in question. So you could have writeable permissions on the root, but if you’re wanting to update a file and that doesn’t have writeable permissions, that’s what will deny you.

Aside from updating existing files, when adding a new file/dir into a dir, it won’t let you do that if the parent dir doesn’t have write permissions.

In short - if it exists, it must have permissions and if it doesn’t exist, the parent must have permissions. Make use of PHP’s is_writeable to handle non-write situations for you till you figure things out.

Be warned though - I started out building a code editor in the browser myself using CodeMirror as a fun proof of concept and created something in just a few hours. 3000+ hrs and 3 years later I’m still evolving it and have near 85,000 users - https://icecoder.net :slight_smile:

1 Like

Haha no way! I actually tried Ice at one point! Wonderful project man! Kudos and thanks for the advice.

So basically I need to set my whole webroot to writable? Is that how Ice works?

Thanks, glad you liked it. ICEcoder is PHP based, so can only do what PHP is allowed to do and that’s defined by the specific target dir/file perms and owner.

This means the target needs to be writeable. I might be editing a project, try to save and can’t as the file isn’t writeable (or dir isn’t if making a new file). I use is_writeable to detect the targets writeability and at least handle errors.

Unforunately, what you’re thinking doesn’t apply - setting perms in the root doesn’t flow through to sub dirs, they have their own perms & onwers and so does every file. If you have a sub dir that has different permissions, adding a file into that will consult that sub dir, not your root.

1 Like

Right, I’m still trying to wrap my head around how annoyingly secure Linux is.

So what do you everytime you create a directory then? Do you have to manually go in and adjust the permissions for it? I suppose I should just read the IceCoder FAQ?

No, it’s OK, I can give you the answers to save the trauma I went through understanding it.

It’s generally considered best practise to set 755 on dirs.and 644 on files. Any dirs and files ICEcoder creates it does so with those permissions.

Generally speaking, if you start off with an empty wwwroot which has 755 and use your editor to create dirs and files within that containing 755 and 644 perms respectively, that’s good, plus they’ll be created under the same owner as your web server, likely www-data. All is well overall and you can happily modify these dirs and files with your editor, as they were not only created by the same user (www-data) that’s now trying to modify them plus the 755/644 perms are fine too.

The only trouble comes when you say bring in a file created by another source. Let’s say a file has 644 permissions again but an owner of ‘root’. That’s no good as we’re running under the www-data user and there’s not relaxed enough permissions either for it to overwrite, so you can’t do that. You now have 2 options - either change the owner of that file to www-data so you can write on it, or relax the write permissions enough to allow it to be writeable by the user that doesn’t have ownership of it (ie, allowing www-data to ignore who owns the file and overwrite it because the permissions are relaxed enough).

The 3 numbers in permissions relate to user, group and other (eg 644 means 6 on user, 4 on group and 4 on other). The numbers are made up via 4 = read, 2 = write, 1 = execute. Therefore 4 on one of those digits just means ‘read’. 5 can only possibly mean ‘read and execute’ (4+1). So really you’d need at least 6 in the ‘other’ section (to mean read and write, ie 4+2). So you’d to set 646 on your file at least if you don’t change owner instead, Most people go the whole hog and set 7 though (read+write+execute), ie 647. However, setting 7 on the other category is considered dangerours and it’s better to change the owner.

So to sum up - files not created by your web server under which PHP is running (ie, from an external source), will either need the owner changed or high enough permissions on the other part of permissions. Doing either of course can’t be done from PHP and so yes, you unfortunately need to do it from something with higher privileges, eg from your terminal under a user with high enough privileges.

This is exactly why when I bring in an external file to edit in ICEcoder and try to save, it informs me it can’t save. I have to then use my terminal to change owner or permissions to allow writeability to be possible.

Hope this crash course in file ownership/permissions/security helps you build your editor with CodeMirror. :slight_smile:

1 Like

Thanks man. I had my suspicions that the permission issue you just described would forever be an issue with live web editing. I’ve farted around with many different permission settings and always found it to be an incomplete solution.

I may actually just abandon my project and use Ice. Would you mind if I PM’d you to ask more indepth questions about Ice? I originally considered it but I had lofty dreams of a fully customized tool that would work with a framework I’m trying to write (it’s just for personal projects), but I’m just so tired of encountering issues with Javascript that cause me to rebuild it time and time again I’m thinking it might just be easier to modify Ice.

Yeah, that’s a definite drawback with editing of files on Linux based servers - you can only do what you have permissions to do. Makes sense, but certainly can be a pain.

Sure - feel free to email me at info@icecoder.net, saves clogging up the CodeMirror forum. :slight_smile: