[BBLISA] Dual access to files by webserver and user.

Ian Stokes-Rees ijstokes at crystal.harvard.edu
Fri Nov 11 13:28:07 EST 2011 


On 11/11/11 12:39 PM, Bill Bogstad wrote:
> You might look into doing a "chmod g+s user-top-directory". This will 
> cause the group of any files/directories created in that directory to 
> be set to the group of the user-top-directory rather then the group of 
> the process. If users' default umasks are set to 0007 as you suggest, 
> this will probably work for you. The problem with this is that you 
> might not want the users to be in the "webserver" group (otherwise 
> they would be able to read other people's files). As a result, the 
> users won't be able to make a top level directory with the appropriate 
> group setting themselves. If you create the top level directory for 
> them ahead of time (probably required for webserver access), then they 
> will probably never need to do this.

I think I've talked about trying this before and then didn't move 
forward with it.  This would be a great solution, and we can certainly 
create these directories in advance (in fact, at account creation time), 
and set ownership policies appropriately.  I'll need to understand the 
semantics of u+s and g+s to see if there are ways a user can "break out" 
of the setting in a way that would impact others negatively (their 
problem if they screw themselves up, but we can't have them accessing 
other users data or the "core" web-server data).

The think the idea would be:

for u in /home/*; do
   b=`basename $u`
   mkdir $u/portal_data
   chown -R apache:$b $u/portal_data
   chmod -R u+rwX,g+rwXs,o-rwX $u/portal_data
done

So when the webserver (process user apache) writes files to 
/home/peterpan/portal_data/foo/bar then the ownership will be:

apache:peterpan rw-rw----

Then peterpan can ssh into the system and still read these files in his 
home directory, but he can't read files in 
/home/captainhook/portal_data/zip/zap.

Can I mix u+s,g+s to have directory-sticky user ownership of files too?  
That way if the *user* creates new files and directories the web server 
user (apache) could still read and serve them.

> Oh, I've never done anything with them myself; but you might want to 
> look into what can be done with Access Control Lists. The downside is 
> that your fileservers/applications/backup system may or may not work 
> with them. But that's just me being worried, no specific problems to 
> report. Bill Bogstad 

Hurm... This is file-system dependent, isn't it?  Any quick words on how 
well these things work over NFS?

Ian

-- 
Ian Stokes-Rees, PhD                    W: http://portal.nebiogrid.org
ijstokes at hkl.hms.harvard.edu            T: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School       C: +1.617.331.5993

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20111111/d043d433/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ijstokes.vcf
Type: text/x-vcard
Size: 403 bytes
Desc: not available
Url : http://www.bblisa.org/pipermail/bblisa/attachments/20111111/d043d433/attachment.vcf

More information about the bblisa mailing list