| 1 |
On 03/17/2016 06:38 PM, Rich Freeman wrote: |
| 2 |
> On Thu, Mar 17, 2016 at 4:59 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 3 |
> |
| 4 |
> Actually, this is completely viable... |
| 5 |
> |
| 6 |
> If users chmod a file then tell them not to. If you must, set up some |
| 7 |
> cron job to clean up after them. |
| 8 |
> |
| 9 |
> But, you can of course do this with ACLs as well. I haven't tried |
| 10 |
> setting those up personally. |
| 11 |
> |
| 12 |
|
| 13 |
I missed the beginning of this thread, but I just caught up on the |
| 14 |
archive. This has long been a pet peeve of mine. I don't think there's a |
| 15 |
way to make it work *at all* on Linux, which is stupid, since every |
| 16 |
somebody's-nephew can set it up in five minutes on a Windows server. |
| 17 |
|
| 18 |
You can very easily come up with a situation that umasks, group |
| 19 |
membership, and setgid can't handle. Suppose you want a public website |
| 20 |
directory to be, |
| 21 |
|
| 22 |
* Writable by the client (their developers) |
| 23 |
* Writable by your web developers |
| 24 |
* Readable by the Apache user |
| 25 |
|
| 26 |
You can't make Apache a member of the group that has write access, so |
| 27 |
while I haven't been real careful, I don't think you can make that |
| 28 |
extremely common situation work. Every law office |
| 29 |
(attorney/paralegal/secretary) and small business needs something |
| 30 |
similar and it just can't be done. |
| 31 |
|
| 32 |
ACLs also won't work, because nobody ever made default ACLs do the right |
| 33 |
thing. Everything in the "acl" directory should be rwx by the "apache" |
| 34 |
user below (that's what the setfacl does): |
| 35 |
|
| 36 |
$ mkdir acl |
| 37 |
$ cd acl |
| 38 |
$ setfacl -d -m user:apache:rwx . |
| 39 |
|
| 40 |
But, it's not! Just copy any file in, and see what happens: |
| 41 |
|
| 42 |
$ cp /etc/profile ./ |
| 43 |
$ getfacl profile |
| 44 |
# file: profile |
| 45 |
# owner: mjo |
| 46 |
# group: mjo user::rw- |
| 47 |
user:apache:rwx # effective:r-- |
| 48 |
group::r-x # effective:r-- |
| 49 |
mask::r-- |
| 50 |
other::r-- |
| 51 |
|
| 52 |
The write and execute bits are masked, so your website crashes, because |
| 53 |
Apache can't write that file (or traverse it, if we did the same |
| 54 |
experiment with a directory). |
| 55 |
|
| 56 |
The problem above is that most common tools will do something braindead |
| 57 |
in the presence of ACLs, and attempt to preserve the existing group |
| 58 |
bits. Even though, when there are ACLs around, those group bits don't |
| 59 |
signify group permissions. |
| 60 |
|
| 61 |
To make ACLs do the right thing, you need to run |
| 62 |
sys-apps/apply-default-acl on every file that the users create, so that |
| 63 |
the default ACLs get applied by default (craaazzzyyy). You can do that |
| 64 |
in a cron job like Alan suggested, or I've hacked tar, cp, mkdir, etc. |
| 65 |
to run it automatically on all of our servers. |
| 66 |
|
| 67 |
Why do I need to hack coreutils to share a directory between three |
| 68 |
people? The ACL/coreutils people don't really see this as a problem. |
| 69 |
They say, tell your paralegal to RTFM and set the permissions how he |
| 70 |
wants them. (It will take you about a week to read the man pages for ACLs.) |
Archives