<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
On 11/11/11 12:39 PM, Bill Bogstad wrote:
<blockquote class=" cite"
id="mid_CAJFsZ=qMy-XhEbMscDT_9gq5pWFhbtf1T2vtGixT4-up1QWM+Q_mail_gmail_com"
cite="mid:CAJFsZ=qMy-XhEbMscDT_9gq5pWFhbtf1T2vtGixT4-up1QWM+Q@mail.gmail.com"
type="cite">
You might look into doing a "chmod g+s user-top-directory". This
will
cause the group of any files/directories created in that directory
to
be set to the group of the user-top-directory rather then the
group of
the process. If users' default umasks are set to 0007 as you
suggest, this will probably work for you. The problem with this is
that you might not want the users to be in the "webserver" group
(otherwise they would be able to read other people's files). As a
result, the users won't be able to make a top level directory with
the
appropriate group setting themselves. If you create the top level
directory for them ahead of time (probably required for webserver
access), then they will probably never need to do this.</blockquote>
<br>
I think I've talked about trying this before and then didn't move
forward with it. This would be a great solution, and we can
certainly create these directories in advance (in fact, at account
creation time), and set ownership policies appropriately. I'll need
to understand the semantics of u+s and g+s to see if there are ways
a user can "break out" of the setting in a way that would impact
others negatively (their problem if they screw themselves up, but we
can't have them accessing other users data or the "core" web-server
data).<br>
<br>
The think the idea would be:<br>
<br>
for u in /home/*; do<br>
b=`basename $u`<br>
mkdir $u/portal_data<br>
chown -R apache:$b $u/portal_data<br>
chmod -R u+rwX,g+rwXs,o-rwX $u/portal_data<br>
done<br>
<br>
So when the webserver (process user apache) writes files to
/home/peterpan/portal_data/foo/bar then the ownership will be:<br>
<br>
apache:peterpan rw-rw----<br>
<br>
Then peterpan can ssh into the system and still read these files in
his home directory, but he can't read files in
/home/captainhook/portal_data/zip/zap.<br>
<br>
Can I mix u+s,g+s to have directory-sticky user ownership of files
too? That way if the *user* creates new files and directories the
web server user (apache) could still read and serve them.<br>
<br>
<blockquote class=" cite"
id="mid_CAJFsZ=qMy-XhEbMscDT_9gq5pWFhbtf1T2vtGixT4-up1QWM+Q_mail_gmail_com"
cite="mid:CAJFsZ=qMy-XhEbMscDT_9gq5pWFhbtf1T2vtGixT4-up1QWM+Q@mail.gmail.com"
type="cite">Oh, I've never done anything with them myself; but you
might want to
look into what can be done with Access Control Lists. The downside
is
that your
fileservers/applications/backup system may or may not work with
them. But that's just me being worried, no specific problems to
report.
Bill Bogstad
</blockquote>
<br>
Hurm... This is file-system dependent, isn't it? Any quick words on
how well these things work over NFS?<br>
<br>
Ian<br>
<br>
<pre class="moz-signature" cols="72">--
Ian Stokes-Rees, PhD W: <a class="moz-txt-link-freetext" href="http://portal.nebiogrid.org">http://portal.nebiogrid.org</a>
<a class="moz-txt-link-abbreviated" href="mailto:ijstokes@hkl.hms.harvard.edu">ijstokes@hkl.hms.harvard.edu</a> T: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School C: +1.617.331.5993
</pre>
</body>
</html>