Apache2 permissions “hack”

(Errors are fixed ^^)

It’s not stupid if [the last part] works, right? Right?

1. We need a new group: website
2. We need a user: frank
3. Simple website where everything is put into /var/www/html/

sudo addgroup website
sudo adduser frank website
sudo adduser frank www-data

Let’s see if Frank belongs to the right groups:

groups frank

The result should look something like

frank : frank cdrom floppy sudo audio dip website www-data video plugdev netdev

Let’s change some ownerships, directory first.

sudo chown -vR :website /var/www/html/

Now set the permissions right.

sudo chmod -vR g+w /var/www/html/

You should do a test now by doing the following:

cd /var/www/html/
echo "My server bring all the boys to the yard" > index.html

If you get an error, enter the following:

newgrp - website

This is, in my experience not permanent though, so if you keep having issues, just yeet it into the bash.bashrc file, at the bottom:

sudo nano /etc/bash.bashrc

add at the bottom:

if [[ -n $SSH_CONNECTION ]] ; then
newgrp - www-data
fi

 

Loading

Function to change ownership of the www folder

Just another snippet of code that can be implemented somewhere:

set-perms.sh
#!/bin/bash

# Function to change ownership of the www folder
change_ownership() {
    sudo chown -R "$1":www-data /var/www
    echo "Ownership of the www folder has been set to $1:www-data."
}

# Loop until a valid username is provided
while true; do
    # Prompt the user to enter the desired username
    read -p "Enter the username for permissions: " username

    # Check if the username provided exists
    if id "$username" &>/dev/null; then
        change_ownership "$username"
        break  # Exit the loop if a valid username is provided
    else
        echo "Error: User $username does not exist."
    fi
done

echo "done!"

To make the script executable:

sudo chmod +x set-perms.sh

and run it with

sudo ./set-perms.sh

Loading

Setting up an automated mySQL / MariaDB backup schedule

Just digging deeper in automating thing, so I made two scripts:

backup_cron.sh
#!/bin/bash

# Define the path to the backup script
BACKUP_SCRIPT="/backup_mysql.sh"

# Define the cron job command to run the backup script once a week (every Sunday at midnight)
CRON_COMMAND="0 0 * * 0 $BACKUP_SCRIPT"

# Add the cron job to the crontab
(crontab -l 2>/dev/null; echo "$CRON_COMMAND") | crontab -

echo "Backup cron job set up successfully."

And the script that executes the backup every Sunday:

backup_mysql.sh
#!/bin/bash

# Define the directory where backup files will be stored
BACKUP_DIR="/var/backups/mysql"

# Ensure the backup directory exists
mkdir -p "$BACKUP_DIR"

# Define the filename for the backup file (include date in the filename)
BACKUP_FILE="$BACKUP_DIR/mysql_backup_$(date +%Y-%m-%d_%H-%M-%S).sql"

# Define the compressed filename
COMPRESSED_FILE="$BACKUP_FILE.gz"

# Define MySQL username and password (replace with your MySQL credentials)
DB_USER="USERNAME"
DB_PASS="PASSWORD"

# Dump all databases into a single SQL file
mysqldump -u "$DB_USER" -p"$DB_PASS" --all-databases > "$BACKUP_FILE"

# Add permissions to the backup file
chmod 600 "$BACKUP_FILE"

# Compress the backup file
gzip "$BACKUP_FILE"

echo "Database backup completed. Backup stored in: $COMPRESSED_FILE"

To make the script executable:

sudo chmod +x backup_cron.sh
sudo chmod +x backup_mysql.sh

and run it with

sudo ./backup_cron.sh

Loading

Revised script for LEMP install with PHP7.4 and PHP8.0

Currently successfully needs more testing on a Debian OS 11.5.0 installation. (I now remember why I didn’t want to touch this stuff any more. But oh well, I may as well completely overhaul this script again. The current one does work, but not well enough for me)

Step-by-step is functioning, will now wipe the server to start from scratch again. Also, the previous article will now be deleted.

Note:
If you are using this on a fresh Debian install, SUDO might not have been installed, nor has the user (so not the root) been add to SUDO. This is how you do that if you are logged in as user:

su -
apt update
apt install sudo
usermod -aG sudo <username>
exit
exit

You need to exit twice so you log out as root and as user. After that, you need to log back in as user so you can start using sudo from now on.


Let’s begin! You can name the script something like

setup.sh
#!/bin/bash

# Update system
sudo apt update
sudo apt upgrade -y

# Install necessary packages
sudo apt install gnupg nginx mariadb-server php7.4-fpm php7.4-mysql php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-zip ssh ufw nano fail2ban curl wget sudo openssl net-tools unzip -y

# Add repository key for PHP 8.0
sudo apt install software-properties-common -y
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

# Add repository for PHP 8.0
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update

# Install PHP 8.0 and extensions
sudo apt install php8.0-fpm php8.0-mysql php8.0-curl php8.0-gd php8.0-mbstring php8.0-xml php8.0-zip -y

# Configure UFW to allow web traffic and SSH
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw allow 3306/tcp

# Enable UFW
sudo ufw enable

# Configure automatic security updates
echo 'APT::Periodic::Update-Package-Lists "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::Download-Upgradeable-Packages "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::AutocleanInterval "7";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/20auto-upgrades

# Disable root login via SSH
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Generate SSH key pairs
ssh-keygen -t rsa -b 4096

# Configure Nginx
sudo systemctl start nginx
sudo systemctl enable nginx

# Configure PHP 7.4
sudo systemctl start php7.4-fpm
sudo systemctl enable php7.4-fpm

# Configure PHP 8.0
sudo systemctl start php8.0-fpm
sudo systemctl enable php8.0-fpm

# Configure MariaDB
sudo mysql_secure_installation

# Allow Nginx to use PHP
sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/8.0/fpm/php.ini

# Restart Nginx and PHP services
sudo systemctl restart nginx
sudo systemctl restart php7.4-fpm
sudo systemctl restart php8.0-fpm

# Create a temporary file to store server and PHP info
tmpfile=$(mktemp)

# Get server info
uname -a > "$tmpfile"

# Get PHP version
php -v >> "$tmpfile"

# Append server and PHP info to index.html
cat "$tmpfile" | sudo tee /var/www/html/index.html >/dev/null

# Remove temporary file
rm "$tmpfile"

# Install adminer 
sudo apt install adminer -y
sudo ln -s /usr/share/adminer/adminer.php /var/www/html/adminer.php
sudo chown -R www-data:www-data /usr/share/adminer /var/www/html/adminer.php

# Set the permissions correct for www
sudo chmod g+w /var/www
sudo chown -R :www-data www
sudo chmod g+s www

change_ownership() {
    sudo chown -R "$1":www-data /var/www
    echo "Ownership of the www folder has been set to $1:www-data."
}

# Loop until a valid username is provided
while true; do
    # Prompt the user to enter the desired username
    read -p "Enter the username for permissions: " username

    # Check if the username provided exists
    if id "$username" &>/dev/null; then
        change_ownership "$username"
        break  # Exit the loop if a valid username is provided
    else
        echo "Error: User $username does not exist."
    fi
done
echo "LEMP setup completed successfully."
echo "Check if Adminer is working by opening a browser, and entering http://IP_address/adminer.php in the address bar"

To make the script executable:

sudo chmod +x setup.sh

and run it with

sudo ./setup.sh

When things like PHP fail to work (becuase y’know… PHP)
These are the files that have to look this way to make PHP happen.

sudo nano /etc/nginx/sites-available/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    
    #	# With php-fpm (or other unix sockets):
        fastcgi_pass unix:/run/php/php8.0-fpm.sock;
#non-standard addition
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
    #	# With php-cgi (or other tcp sockets):
    #	fastcgi_pass 127.0.0.1:9000;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #	deny all;
    #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}
sudo nano /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    ##
    # PHP Config
    ##

    # PHP-FPM upstream
    upstream php {
        server unix:/var/run/php/php8.0-fpm.sock; # Adjust the PHP version if necessary
    }


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
}

And when you enter the following commands, you restart NGINX and PHP FPM and there should be no error message.

sudo systemctl restart nginx

# Adjust the PHP version if necessary. In my case, I want PHP 8.0

sudo systemctl restart php8.0-fpm

Good luck 🙂

Loading

Static IP address in Linux (Debian)

You can give your Debian installation a static IP address by following these steps:

1. Determine your network interface name: Use the following command to determine the name of your network interface:

ip addr

This will display information about all of your network interfaces. Look for the interface that you want to configure with a fixed IP address. The interface name will be listed on the left-hand side of the output (e.g. eth0, enp0s3, etc.)

2. Edit the network configuration file: Use a text editor to edit the /etc/network/interfaces file. For example, you can use the nano editor by running the following command:

sudo nano /etc/network/interfaces

3. Configure the network interface: Add the following lines to the file, replacing the interface name and IP address with your own values:

auto <interface-name>
iface <interface-name> inet static
address <ip-address>
netmask <subnet-mask>
gateway <default-gateway>
dns-nameservers <dns-server-ip-address>

For example, if your network interface name is “eth0” and you want to set the IP address to “192.168.0.10”, the subnet mask to “255.255.255.0”, the default gateway to “192.168.0.1”, and the DNS server to “8.8.8.8”, the configuration would look like this:

auto eth0
iface eth0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 8.8.8.8

4. Save and close the file: Press Ctrl+O to save the file, and then press Ctrl+X to close the editor.

5. Restart the networking service: Use the following command to restart the networking service and apply the changes:

sudo systemctl restart networking

After you’ve completed these steps, your Debian installation should have a fixed IP address. You can verify the configuration by using the “ip addr” command again and looking for the interface that you configured.

More info here: https://wiki.debian.org/NetworkConfiguration
Thanks to https://fosstodon.org/@HankB for the tips and better choice of words!

Loading

Permanently switching off the GUI in Debian Linux

* Disable the Display Manager: The Display Manager is the graphical login screen that appears when you start up Debian. You can disable it by stopping the service and preventing it from starting at boot time. Use the following command to stop the service:

sudo systemctl stop display-manager.service

And then disable the service from starting at boot time:

sudo systemctl disable display-manager.service

* Remove the GUI packages: You can remove the GUI packages from your Debian installation by using the following command:

sudo apt-get remove task-gnome-desktop

This will remove the GNOME desktop environment and all its associated packages. If you’re using a different desktop environment, replace “gnome” with the name of your desktop environment.

* Reboot your system: Once you’ve disabled the Display Manager and removed the GUI packages, you’ll need to reboot your system for the changes to take effect. Use the following command to reboot your system:

sudo reboot

After the reboot, your Debian installation should boot into a command-line interface without any GUI.

Keep in mind that disabling the GUI permanently may make some tasks more difficult or time-consuming to perform. It’s recommended to proceed with caution and ensure that you have a backup plan in case you need to re-enable the GUI later.


The following has been suggested by https://fosstodon.org/@HankB :

Or

systemctl set-default multi-user.target

sudo systemctl set-default graphical.target

Loading

Switching off the GUI in Debian

  • Disable the GUI on boot: sudo systemctl set-default multi-user.target
  • Enable the GUI on boot: sudo systemctl set-default graphical.target
  • Disable the GUI temporarily: sudo systemctl isolate multi-user.target
  • Enable the GUI temporarily: sudo systemctl isolate graphical.target

Starting a virtual terminal: Press Ctrl+Alt+F2
To return: Press Ctrl+Alt+F1 or Ctrl+Alt+F7

Loading