Managing and Troubleshooting File Permissions

First, we should run getfacl /var/www/html to get some baseline information.

Since we don't see any currently set ACLs, let's set our own with the following command:

setfacl -m d:g:devs:rwx /var/www/html

Now anyone in the devs group can navigate to, and write to, /var/www/html.

Trying to run systemctl start httpd will give errors. Running journalctl -xe will show lines similar to this:

Jan 09 20:32:46 Server1 httpd[7107]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/l>
Jan 09 20:32:46 Server1 httpd[7107]: AH00015: Unable to open logs

It looks like a problem with the error log file, which is /var/log/httpd/error_log.

ls -lZ /var/log/httpd/error_log shows:

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan  9 20:17 /var/log/httpd/error_log

Let's use restorecon to fix it:

restorecon /var/log/httpd/error_log
systemctl start httpd

The service starts.

First we should run ls -ld /var/www/devs to get a base of information about this directory.

Then we can run the following commands to set it up as directed:

chmod g+w /var/www/devs
chown root.devs /var/www/devs
chmod g+s /var/www/devs

This will set the setGID bit on the directory and enable all new files and folders created to be owned by the devs group.

First we'll run mv /var/www/devs/index.html /var/www/html.

This returns an "Operation not permitted" error. Since that's not a normal permission denied error, let's look at file attributes.

lsattr /var/www/devs/index.html shows that the file has the immutable flag set. chattr -i /var/www/devs/index.html will allow us to do what we need for this task.