[Lilug] Still stuck on file permissions
Kenneth Downs
ken at secdat.com
Thu Feb 26 07:12:49 PST 2009
Robert Wilkens wrote:
>
> This probably _/Doesn't/_ give you the answer you were looking for...
> But is an option for the development machine to work on files in the
> public_html directory of the users home dir, then access (for
> development purposes) the files as if they were in
> http://localhost/~username <http://localhost/%7Eusername> work?
>
Yeah, that's where I've got them, but in order for apache to write
generated files, it still needs full perms. Turns out to be the same
whether they are in ~/public_html or /var/www
>
>
> I mean, I think you can still do this with apache, but I haven't used
> it in forever.
>
>
>
> Rob
>
>
>
> *From:* lilug-bounces at lilug.org [mailto:lilug-bounces at lilug.org] *On
> Behalf Of *Kenneth Downs
> *Sent:* Thursday, February 26, 2009 9:47 AM
> *To:* LILUG Mailing List
> *Subject:* [Lilug] Still stuck on file permissions
>
>
>
> I've complained about this before, but I'm still hoping somebody can
> tell me something I don't know.
>
> I'll skip the details and just say the situation is that a programmer
> is developing a web app, but the web app also does code generation, so
> the programmer (a regular linux user) must have full control over the
> files, but the apache process (www-data on ubuntu) must also have full
> control.
>
> This is only on a dev workstation, the situation can be avoided on a
> production server but not on a dev workstation.
>
> Here is the question: It seems to me that everything about Linux is
> set up to prevent this from happening without major interventions that
> a newer Linux user will not understand and a veteran will consider
> inappropriate. Am I missing something? Is there a simple way to give
> two users full control over a body of files? Don't just say "groups"
> automatically, see below:
>
> METHOD 1:
>
> 1) Add the programmer's user account to the www-data group (veterans
> may object, newbies may stumble)
> 2) Put perms to 6770 on the file tree
> 3) Set ownership to <user>:www-data on the file tree
>
> This is what I am doing now. Believe it or not this is as simple as I
> could figure it, but I'm shooting for simpler.
>
> METHOD 2:
>
> This gives the veterans fits, but I figured /on a dev workstation/ I
> would just run apache as my account. This is /more invasive/, but
> /only at a single point/. At this point the veterans jump in with
> "never, never, never" but don't usually address the context of the
> situation, so I don't know what to do with their advice.
>
>
> METHOD 3:
>
> Complex ACL's. There seems to be on-off support for more complex file
> permissions in Linux, but I get the sense it is a red-headed
> stepchild. If there were a more powerful permissions system that
> understood the idea of giving two separate users the same permissions,
> I'd be very happy to accept a /configurable dependency/, but I don't
> get the idea that's out there.
>
> So I'm really hoping I missed something in the last 10 years on how
> linux controls file permission :(
>
>
>
>
>
>
> --
> Kenneth Downs
> Secure Data Software
> ken at secdat.com <mailto:ken at secdat.com> www.andromeda-project.org <http://www.andromeda-project.org> www.secdat.com <http://www.secdat.com>
> Office: 631-689-7200
> Cell: 631-379-0010
> Fax: 631-689-0527
> ------------------------------------------------------------------------
>
> _______________________________________________
> Lilug mailing list
> Lilug at lilug.org
> http://lists.lilug.org/listinfo.cgi/lilug-lilug.org
>
--
Kenneth Downs
Secure Data Software
ken at secdat.com www.andromeda-project.org www.secdat.com
Office: 631-689-7200
Cell: 631-379-0010
Fax: 631-689-0527
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20090226/adfa3e4a/attachment-0003.htm>
More information about the Lilug
mailing list