On 11/11/11 12:39 PM, Bill Bogstad wrote:
You might look into doing a "chmod g+s user-top-directory". This will cause the group of any files/directories created in that directory to be set to the group of the user-top-directory rather then the group of the process. If users' default umasks are set to 0007 as you suggest, this will probably work for you. The problem with this is that you might not want the users to be in the "webserver" group (otherwise they would be able to read other people's files). As a result, the users won't be able to make a top level directory with the appropriate group setting themselves. If you create the top level directory for them ahead of time (probably required for webserver access), then they will probably never need to do this.
I think I've talked about trying this before and then didn't move forward with it. This would be a great solution, and we can certainly create these directories in advance (in fact, at account creation time), and set ownership policies appropriately. I'll need to understand the semantics of u+s and g+s to see if there are ways a user can "break out" of the setting in a way that would impact others negatively (their problem if they screw themselves up, but we can't have them accessing other users data or the "core" web-server data).
The think the idea would be: for u in /home/*; do b=`basename $u` mkdir $u/portal_data chown -R apache:$b $u/portal_data chmod -R u+rwX,g+rwXs,o-rwX $u/portal_data doneSo when the webserver (process user apache) writes files to /home/peterpan/portal_data/foo/bar then the ownership will be:
apache:peterpan rw-rw----Then peterpan can ssh into the system and still read these files in his home directory, but he can't read files in /home/captainhook/portal_data/zip/zap.
Can I mix u+s,g+s to have directory-sticky user ownership of files too? That way if the *user* creates new files and directories the web server user (apache) could still read and serve them.
Oh, I've never done anything with them myself; but you might want to look into what can be done with Access Control Lists. The downside is that your fileservers/applications/backup system may or may not work with them. But that's just me being worried, no specific problems to report. Bill Bogstad
Hurm... This is file-system dependent, isn't it? Any quick words on how well these things work over NFS?
Ian -- Ian Stokes-Rees, PhD W: http://portal.nebiogrid.org [email protected] T: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993
<<attachment: ijstokes.vcf>>
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
