[Lilug] Still stuck on file permissions

Robert Wilkens robwilkens at gmail.com
Thu Feb 26 07:16:33 PST 2009


Sorry I couldn't be more help.  I know I've done it in public_html where
I've (over 10 years ago) created a java tetris game, then allowed it to save
high scores on the server (pretty simplistic perl cgi script).  I think it
was a matter of giving 'user' ownership to the directory, and giving 'group'
ownership of the directory to the apache group.

 

Rob

 

From: lilug-bounces at lilug.org [mailto:lilug-bounces at lilug.org] On Behalf Of
Kenneth Downs
Sent: Thursday, February 26, 2009 10:13 AM
To: LILUG Mailing List
Subject: Re: [Lilug] Still stuck on file permissions

 

Robert Wilkens wrote: 

This probably _Doesn't_ give you the answer you were looking for.  But is an
option for the development machine to work on files in the public_html
directory of the users home dir, then access (for development purposes) the
files as if they were in http://localhost/~username
<http://localhost/%7Eusername>  work?


Yeah, that's where I've got them, but in order for apache to write generated
files, it still needs full perms.  Turns out to be the same whether they are
in ~/public_html or /var/www




 

I mean, I think you can still do this with apache, but I haven't used it in
forever.

 

Rob

 

From: lilug-bounces at lilug.org [mailto:lilug-bounces at lilug.org] On Behalf Of
Kenneth Downs
Sent: Thursday, February 26, 2009 9:47 AM
To: LILUG Mailing List
Subject: [Lilug] Still stuck on file permissions

 

I've complained about this before, but I'm still hoping somebody can tell me
something I don't know.

I'll skip the details and just say the situation is that a programmer is
developing a web app, but the web app also does code generation, so the
programmer (a regular linux user) must have full control over the files, but
the apache process (www-data on ubuntu) must also have full control.

This is only on a dev workstation, the situation can be avoided on a
production server but not on a dev workstation.

Here is the question: It seems to me that everything about Linux is set up
to prevent this from happening without major interventions that a newer
Linux user will not understand and a veteran will consider inappropriate.
Am I missing something?  Is there a simple way to give two users full
control over a body of files?  Don't just say "groups" automatically, see
below:

METHOD 1: 

1) Add the programmer's user account to the www-data group (veterans may
object, newbies may stumble)
2) Put perms to 6770 on the file tree
3) Set ownership to <user>:www-data on the file tree

This is what I am doing now.  Believe it or not this is as simple as I could
figure it, but I'm shooting for simpler.

METHOD 2:

This gives the veterans fits, but I figured on a dev workstation I would
just run apache as my account.  This is more invasive, but only at a single
point.  At this point the veterans jump in with "never, never, never" but
don't usually address the context of the situation, so I don't know what to
do with their advice.  


METHOD 3:

Complex ACL's.  There seems to be on-off support for more complex file
permissions in Linux, but I get the sense it is a red-headed stepchild.  If
there were a more powerful permissions system that understood the idea of
giving two separate users the same permissions, I'd be very happy to accept
a configurable dependency, but I don't get the idea that's out there.

So I'm really hoping I missed something in the last 10 years on how linux
controls file permission :(









-- 
Kenneth Downs
Secure Data Software
ken at secdat.com  www.andromeda-project.org www.secdat.com
Office: 631-689-7200
Cell: 631-379-0010
Fax: 631-689-0527
 



  _____  



 
_______________________________________________
Lilug mailing list
Lilug at lilug.org
http://lists.lilug.org/listinfo.cgi/lilug-lilug.org
  






-- 
Kenneth Downs
Secure Data Software
ken at secdat.com  www.andromeda-project.org www.secdat.com
Office: 631-689-7200
Cell: 631-379-0010
Fax: 631-689-0527
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20090226/6447dab3/attachment-0003.htm>


More information about the Lilug mailing list