3.3. Setting up users and permissions

For security reasons, we will run the BrewPi python script under its own user account: an account without sudo rights. We will set up the brewpi user and group now. The web interface will run under the user and group www-data. The www-data user already exists. We will add the brewpi user with useradd, which automatically creates the group brewpi as well. Additionally, we are adding the user brewpi to the www-data and dialout groups (needed for access to the /var/www/ dir and serial ports, respectively). Then, we set the password for the brewpi user with passwd.

sudo useradd -m -k /dev/null -G www-data,dialout brewpi
sudo passwd brewpi

Now, verify your work:

id brewpi

You should see something similar to:

uid=1001(brewpi) gid=1002(brewpi) groups=1002(brewpi),20(dialout),33(www-data)

The python script will reside in the brewpi home directory. It will log data to the ./data subdirectory, keep settings in ./settings and it will copy everything the web interface needs to know to /var/www/ and chown it to www-data. By doing it this way, the www-data user does not have to have any rights outside its own directory. To allow the brewpi user to write to the directories owned by www-data, we will have to add it to the www-data group. We will also add the pi user to both groups to make it easier to work with the files.

sudo usermod -a -G www-data pi
sudo usermod -a -G brewpi pi

To make sure that all newly created files in the www-data directory have www-data as group, even when they are created by the brewpi user, we set the sticky bit on the www-data directory and all its sub directories. We’ll set the sticky bit for the brewpi home directory as well. Run the following commands:

sudo chown -R www-data:www-data /var/www
sudo chown -R brewpi:brewpi /home/brewpi
sudo find /home/brewpi -type f -exec chmod g+rwx {} \;
sudo find /home/brewpi -type d -exec chmod g+rwxs {} \;
sudo find /var/www -type d -exec chmod g+rwxs {} \;
sudo find /var/www -type f -exec chmod g+rwx {} \;

These commands do the following things:

  • Set the ownership of all files and subdirectories to brewpi and www-data (first two lines)
  • Give the group all permissions on all files (third and fourth line)
  • Give the group all permissions and set the sticky bit on all directories (fifth and sixth line).

Fixing permissions issues

If you run into permission issues later, you can use a script included with the brewpi-script repository to fix it. This could happen for example when you did not run git as the brewpi user or the www-data user, which results in the owner of the files being pi or root. This will cause errors when the web interface or script tries to access files. This script just executes the commands above. Run it with:

sudo /home/brewpi/utils/fixPermissions.sh

Starting and stopping the python script

There is a button in the web interface to start and stop the brewpi script. But allowing the www-data user to start python scripts would create a huge security risk. This is solved by running a CRON job: every minute the system checks whether the script should be running and starts it when it does. This way the www-data user only has to create/remove a file in the web directory. We will set this up after getting the BrewPi files from Git.