<html><head></head><body bgcolor="#FFFFFF"><div>Unless I'm totally missing what you are trying to do SELinux should give you the ability to do everything you want. </div><div><br></div><div>You'll have to write your own policies but you can set it so the webserver has R/O access and the user has full control based on file context </div><div><br></div><div>Johno <br><br>On Nov 11, 2011, at 11:20 AM, Ian Stokes-Rees <<a href="mailto:ijstokes@crystal.harvard.edu">ijstokes@crystal.harvard.edu</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
Hi experts,<br>
<br>
I'm in a situation where I need on-disk user data to be accessible
by a webserver process but also by the owners when they ssh into the
system. My initial ambitious plan for this was to have a "mirror"
group for every user that contained the user and also the web server
daemon user. With careful management of who created data and where
it was created this looked like it was going to work -- the
webserver would assert access control policies so the data could
only be accessed by the owning user when coming in through the web
interface, and the user when ssh'ed in to the system could see all
their data but not that of other users. NFSv3 and its 12 (or 16?)
group membership limit meant this didn't get me very far in the end.<br>
<br>
I'm now wondering if an alternative might be to have all this
"dual-access" data owned by "joeblogs" (user) and "webserver"
(group) (or vice versa), with a default umask of "u=rwx,g=rwx,o="
(0007). No users would be in the "webserver" group, and the
webserver user wouldn't be in the joeblogs group. The complexity
here: how to (easily/practically) get the user and webserver to
create files with appropriate ownership.<br>
<br>
Does anyone have any thoughts or experience with this kind of
problem?<br>
<br>
I've considered sudo policies for a "give_user_access peterpan
/path/to/file" script that would:<br>
<br>
1. check /path/to/file has "webserver" as the user or group, then do<br>
2. chown -R webserver:peterpan /path/to/file; chmod -R u+rwX,g+rwX
/path/to/file<br>
<br>
and similarly a script "give_webserver_access /path/to/file" that
would:<br>
<br>
1. check /path/to/file has the current user as the owner or group,
then do<br>
2. chown -R `whoami`:webserver /path/to/file; chmod -R u+rwX,g+rwX
/path/to/file<br>
<br>
But neither running these manually nor automatically (cron, on
login/logout) seems very attractive.<br>
<br>
TIA, Ian
<pre class="moz-signature" cols="72">--
Ian Stokes-Rees, PhD W: <a class="moz-txt-link-freetext" href="http://portal.nebiogrid.org">http://portal.nebiogrid.org</a>
<a class="moz-txt-link-abbreviated" href="mailto:ijstokes@hkl.hms.harvard.edu">ijstokes@hkl.hms.harvard.edu</a> T: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School C: +1.617.331.5993
</pre>
</div></blockquote><blockquote type="cite"><div><ijstokes.vcf></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>bblisa mailing list</span><br><span><a href="mailto:bblisa@bblisa.org">bblisa@bblisa.org</a></span><br><span><a href="http://www.bblisa.org/mailman/listinfo/bblisa">http://www.bblisa.org/mailman/listinfo/bblisa</a></span></div></blockquote></body></html>