[Lilug] Still stuck on file permissions

Kenneth Downs ken at secdat.com
Thu Feb 26 07:12:49 PST 2009 

Robert Wilkens wrote:
>
> This probably _/Doesn't/_ give you the answer you were looking for...  
> But is an option for the development machine to work on files in the 
> public_html directory of the users home dir, then access (for 
> development purposes) the files as if they were in 
> http://localhost/~username <http://localhost/%7Eusername> work?
>

Yeah, that's where I've got them, but in order for apache to write 
generated files, it still needs full perms.  Turns out to be the same 
whether they are in ~/public_html or /var/www

>  
>
> I mean, I think you can still do this with apache, but I haven't used 
> it in forever.
>
>  
>
> Rob
>
>  
>
> *From:* lilug-bounces at lilug.org [mailto:lilug-bounces at lilug.org] *On 
> Behalf Of *Kenneth Downs
> *Sent:* Thursday, February 26, 2009 9:47 AM
> *To:* LILUG Mailing List
> *Subject:* [Lilug] Still stuck on file permissions
>
>  
>
> I've complained about this before, but I'm still hoping somebody can 
> tell me something I don't know.
>
> I'll skip the details and just say the situation is that a programmer 
> is developing a web app, but the web app also does code generation, so 
> the programmer (a regular linux user) must have full control over the 
> files, but the apache process (www-data on ubuntu) must also have full 
> control.
>
> This is only on a dev workstation, the situation can be avoided on a 
> production server but not on a dev workstation.
>
> Here is the question: It seems to me that everything about Linux is 
> set up to prevent this from happening without major interventions that 
> a newer Linux user will not understand and a veteran will consider 
> inappropriate.  Am I missing something?  Is there a simple way to give 
> two users full control over a body of files?  Don't just say "groups" 
> automatically, see below:
>
> METHOD 1:
>
> 1) Add the programmer's user account to the www-data group (veterans 
> may object, newbies may stumble)
> 2) Put perms to 6770 on the file tree
> 3) Set ownership to <user>:www-data on the file tree
>
> This is what I am doing now.  Believe it or not this is as simple as I 
> could figure it, but I'm shooting for simpler.
>
> METHOD 2:
>
> This gives the veterans fits, but I figured /on a dev workstation/ I 
> would just run apache as my account.  This is /more invasive/, but 
> /only at a single point/.  At this point the veterans jump in with 
> "never, never, never" but don't usually address the context of the 
> situation, so I don't know what to do with their advice. 
>
>
> METHOD 3:
>
> Complex ACL's.  There seems to be on-off support for more complex file 
> permissions in Linux, but I get the sense it is a red-headed 
> stepchild.  If there were a more powerful permissions system that 
> understood the idea of giving two separate users the same permissions, 
> I'd be very happy to accept a /configurable dependency/, but I don't 
> get the idea that's out there.
>
> So I'm really hoping I missed something in the last 10 years on how 
> linux controls file permission :(
>
>
>
>
>
>
> -- 
> Kenneth Downs
> Secure Data Software
> ken at secdat.com <mailto:ken at secdat.com>  www.andromeda-project.org <http://www.andromeda-project.org> www.secdat.com <http://www.secdat.com>
> Office: 631-689-7200
> Cell: 631-379-0010
> Fax: 631-689-0527
> ------------------------------------------------------------------------
>
> _______________________________________________
> Lilug mailing list
> Lilug at lilug.org
> http://lists.lilug.org/listinfo.cgi/lilug-lilug.org
>   


-- 
Kenneth Downs
Secure Data Software
ken at secdat.com  www.andromeda-project.org www.secdat.com
Office: 631-689-7200
Cell: 631-379-0010
Fax: 631-689-0527

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20090226/adfa3e4a/attachment-0003.htm>

More information about the Lilug mailing list