[Lilug] Still stuck on file permissions

Robert Wilkens robwilkens at gmail.com
Thu Feb 26 06:53:48 PST 2009 

This probably _Doesn't_ give you the answer you were looking for.  But is an
option for the development machine to work on files in the public_html
directory of the users home dir, then access (for development purposes) the
files as if they were in http://localhost/~username work?

 

I mean, I think you can still do this with apache, but I haven't used it in
forever.

 

Rob

 

From: lilug-bounces at lilug.org [mailto:lilug-bounces at lilug.org] On Behalf Of
Kenneth Downs
Sent: Thursday, February 26, 2009 9:47 AM
To: LILUG Mailing List
Subject: [Lilug] Still stuck on file permissions

 

I've complained about this before, but I'm still hoping somebody can tell me
something I don't know.

I'll skip the details and just say the situation is that a programmer is
developing a web app, but the web app also does code generation, so the
programmer (a regular linux user) must have full control over the files, but
the apache process (www-data on ubuntu) must also have full control.

This is only on a dev workstation, the situation can be avoided on a
production server but not on a dev workstation.

Here is the question: It seems to me that everything about Linux is set up
to prevent this from happening without major interventions that a newer
Linux user will not understand and a veteran will consider inappropriate.
Am I missing something?  Is there a simple way to give two users full
control over a body of files?  Don't just say "groups" automatically, see
below:

METHOD 1: 

1) Add the programmer's user account to the www-data group (veterans may
object, newbies may stumble)
2) Put perms to 6770 on the file tree
3) Set ownership to <user>:www-data on the file tree

This is what I am doing now.  Believe it or not this is as simple as I could
figure it, but I'm shooting for simpler.

METHOD 2:

This gives the veterans fits, but I figured on a dev workstation I would
just run apache as my account.  This is more invasive, but only at a single
point.  At this point the veterans jump in with "never, never, never" but
don't usually address the context of the situation, so I don't know what to
do with their advice.  


METHOD 3:

Complex ACL's.  There seems to be on-off support for more complex file
permissions in Linux, but I get the sense it is a red-headed stepchild.  If
there were a more powerful permissions system that understood the idea of
giving two separate users the same permissions, I'd be very happy to accept
a configurable dependency, but I don't get the idea that's out there.

So I'm really hoping I missed something in the last 10 years on how linux
controls file permission :(








-- 
Kenneth Downs
Secure Data Software
ken at secdat.com  www.andromeda-project.org www.secdat.com
Office: 631-689-7200
Cell: 631-379-0010
Fax: 631-689-0527
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20090226/c979b54f/attachment-0003.htm>

More information about the Lilug mailing list