← 전체로 돌아가기
프로젝트 메모 linux -etc-nginx

webroot ownership root-owned issue & fix

sudo tee 쓰면 파일 owner root로 바뀜. 권한 꼬이면 자동 부활 안됨.

linuxsshnginxpermission

webroot files keep becoming root:root

원인: son-pro6000(192.168.1.116)에 있는 publish.py가 문제. SSH로 접속해서 sudo teesudo mkdir로 파일 쓰면 owner가 root로 박힘. 논문별 서브디렉토리는 chown 해주는데, 정작 thesis/ 폴더나 index.html은 건너뜀. 이러면 hub-daily-cron(son 계정)이 index.html 덮어쓸 때 권한 없어서 터짐.

fix (approach B)

chown -R son:son [webroot_path]

  1. webroot 전체 son:son으로 소유권 변경.
  2. publish.py 수정: sudo 빼고 일반 ssh write (cat > path) 사용하도록 변경.
  3. _remote_sudo_write -> _remote_write (non-sudo)
  4. sudo mkdir -> mkdir 로 퉁침.

SSH config issue fix

SSH_HOST = "aoo"

기존에 IP 직접 박아놔서 ~/.ssh/config에 설정한 IdentityFile(ed25519 key) 못 불러옴. Permission denied 뜨면서 publishing 다 깨짐. Host 별칭(aoo)으로 바꿔서 해결.

  • nginx-snippet/systemd/reload: 이건 root 권한 필요하니까 sudo 유지 (correct)
  • backup: ~/prj/thesis/papergen/publish.py.bak.20260531_133103 (192.168.1.116)

여기서 배울 것

  1. SSH로 sudo 써서 파일 쓰면 owner root로 바뀜. 조심.
  2. SSH config에 key 설정해놨으면 IP 말고 Host 별칭 써야 함.
  3. 권한 꼬이면 자동화 스크립트(cron) 다 깨짐.
원본 파일 보기 (.claude/projects/-etc-nginx/memory/learn-webroot-reroots.md) 
---
name: learn-webroot-reroots
description: "Why /var/www/learn.ericfromkorea.com files keep becoming root-owned, and what re-roots them"
metadata: 
  node_type: memory
  type: project
  originSessionId: 3eac8adb-fd0e-4fbc-b45a-9d4cc1700c85
---

`/var/www/learn.ericfromkorea.com/` files periodically revert to **root:root** ownership. The cause is **`papergen/publish.py` on the GPU box son-pro6000 (192.168.1.116)**: it SSHes into this box (son-wtr) as `son` and writes the webroot with `sudo tee` / `sudo mkdir` over SSH (`_remote_sudo_write`, lines ~56-58, 113-114), so the `thesis/` dir and `thesis/index.html` land as root. It only `sudo chown son:son`s the per-paper subdir (line ~101), not `thesis/` itself or `thesis/index.html`.

**Resolved 2026-05-31** (approach B): the whole tree was `chown -R son:son`'d, AND `publish.py` on 192.168.1.116 was edited so webroot writes no longer use sudo — added a non-sudo `_remote_write` (`ssh ... "cat > path"`), and changed `_push_viz_cache`/`regenerate_index` from `sudo mkdir`/`_remote_sudo_write` to plain `mkdir`/`_remote_write`. nginx-snippet + systemd + nginx-reload still use sudo (correctly, root-owned targets). Backup: `~/prj/thesis/papergen/publish.py.bak.20260531_133103` on 192.168.1.116.

Also fixed in the same edit: `SSH_HOST` was `son@192.168.1.121` (direct IP), which does NOT match 116's `~/.ssh/config` `Host aoo` block (the only one specifying `IdentityFile ~/.ssh/son_ed25519_key`), so the key wasn't offered → `Permission denied (publickey)` → publishing was fully broken. Changed `SSH_HOST = "aoo"`. Verified end-to-end: `regenerate_index()` writes son-owned `thesis/index.html`, HTTP 200.

Matters because the [[hub-daily-cron]] generator (running as son) overwrites `index.html` in this dir; if a file there is recreated as root, son loses write access and the hub rebuild breaks for that file.