2021 Ubuntu server symbolic link + file permission + including for laravel upload

Set permission at /home/appUploads (This folder should be created on where your 

front end vue application is deployed due. For example 

/var/www/myApp/vueAppDeployed/index.js

Then your home folder needs to be created in /var/www/myApp/vueAppDeployed/home/appUploads

(we need to set permission at /home/appUploads is because we have .env file in laravel

specificed upload files will be located at /home/appUploads)

This directoy is not directly accessible, we will need to first set permission 

for www-data to access then set symlink for our application to access

1) set permission for www-data to access

1. Add current user ubuntu to apache www-data group

 sudo adduser ubuntu www-data .

2. Need to disconnect relogin for group to take effect

3. create /home/appUploads directory

4. sudo chown ubuntu:www-data /home/appUploads

5.   chmod g+s  /home/appUpload. When this is set any new folders or 

files created inside my-ssl.ca will autmoatically inheirt group www-data.

 When this takes effect , s will appear in for example drwxrws--- folder

6. 

• The default permission for ubnutu for a new folder is 755, or 750 inside a user's home folder, for a file is 644 or 640 insider a user's home folder. We do not want that
• To change it, we need to add ACL, this requires group id. $id www-data, to see webdev groupid
• $sudo setfacl -Rdm g:group_id:rx /home/appUpload(Note setfacl requires sudo apt-get install acl)
• R is recursive, which means everything under that directory will have the rule applied to it. 
  d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules. This command is to give future items created or copied to my-ssl.ca only read and execute permission (Caution, moved file will not obey this rule) When this has effect drwxr-x---+ a + will appear showing ACL has effect
• use $getfacl folder to check if it is working. There should be default:user rwx, default:webdev:rw-
• For existing items use $sudo setfacl -Rm g:group_id:rx /home/appUpload

https://joeyxff.blogspot.com/2019/02/laravel-vuel-cli-deployment.html

6.1. https://serverfault.com/questions/349145/can-i-override-my-umask-using-acls-to-make-all-files-created-in-a-given-director

getfacl will show you current directory 's default permission to be inherited

NOTE: the above steps works for  lettingnew file / directory to inherit default permission, but for cp, move files and directory, they will ignore this, and inherit its current permission/groups first.

6.2 current directory : umask will show current default permission such as 0777, etc. 

4 read, 2 write 1, execute. (this will be inheirited when moving to a new dir)

https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

7.  For laravel, although permission for folder are properly inherited, but uploaded file it self will be 

userName:userNameGroup(ubuntu:ubuntu), the user who owns the laravel files.(Or the directory where laravel files are in. For production this is not an issue, because those files will be located and owned by www-data. For dev environment need to add apache2 web server user to userNamegroup I.E add www-data to ubuntu. 

sudo usermod -a -G group user. (https://askubuntu.com/questions/79565/how-to-add-existing-user-to-an-existing-group)

For it to have effect, usually need user to re-login, for apache2 user, need to restart apache2.  

sudo service apache2 restart.

2) set sym link for application to access

 Symbolic Link

By default, Ubuntu does not allow access through the web browser to any file apart of those located in /var/www, / (root) directories (when enabled) and /usr/share (when enabledfor web applications).

 If your site is using a web document root located elsewhere (such as in /srv) you may need to whitelist your document root directory in /etc/apache2/apache2.conf.

The default Ubuntu document root is /var/www/html. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box.

Allow more directory access :

 vim /etc/apache2/apache2.conf.

Require all grant meaning allow access

Options FollowSymLinks means symbolic link can be established

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
	</Directory>
	<Directory /usr/share>
	AllowOverride None
	Require all granted
	</Directory>
	<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
	</Directory>

wq!

sudo service apache2 restart

/*

*

*/

The above configuration allows all folders in /var/www can be accessed, and symlinks set up in /var/www to other directory can be followed. 

to set up a sym  link : https://askubuntu.com/questions/843740/how-to-create-a-symbolic-link-in-a-linux-directory

Use ln:

ln -s /var/www/vhosts/ecash_cfe /var/www/vhosts/ecash-staging.com/ecash_root

• -s stands for symbolic link

• /var/www/vhosts/ecash_cfe is the source file

• /var/www/vhosts/ecash-staging.com/ecash_root is the link name

In our laravel case, since we have in .env the upload folder is /home/appUploads.

We create a directory named home in /var/www/Yoursite/html/

sudo mkdir /var/www/html/home
#change group
sudo chown ubuntu:www-data home
sudo chmod 750 home
# link /var/www/html/home to /home/appUploads. So XXX/home/appUploads is accessing /home/appUploads
sudo ln -s /home/appUploads /var/www/html/home
https://joeyxff.blogspot.com/2021/06/apache-default-directory-access-and-how.html

Directly access the symlink folder is forbidden but symlink to a particular resource is good like 

https://app.tronappca.com/wcstoreadmin/home/appUploads/super%20admin/Joey%20Xiang/products/6971cc9f-eb55-4063-8ef2-3d4293ce0a68.jpeg

is good 

but 

https://app.tronappca.com/wcstoreadmin/home/appUploads/super%20admin/Joey%20Xiang/products/