1 |
On 03/17/2016 06:38 PM, Rich Freeman wrote: |
2 |
> On Thu, Mar 17, 2016 at 4:59 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
3 |
> |
4 |
> Actually, this is completely viable... |
5 |
> |
6 |
> If users chmod a file then tell them not to. If you must, set up some |
7 |
> cron job to clean up after them. |
8 |
> |
9 |
> But, you can of course do this with ACLs as well. I haven't tried |
10 |
> setting those up personally. |
11 |
> |
12 |
|
13 |
I missed the beginning of this thread, but I just caught up on the |
14 |
archive. This has long been a pet peeve of mine. I don't think there's a |
15 |
way to make it work *at all* on Linux, which is stupid, since every |
16 |
somebody's-nephew can set it up in five minutes on a Windows server. |
17 |
|
18 |
You can very easily come up with a situation that umasks, group |
19 |
membership, and setgid can't handle. Suppose you want a public website |
20 |
directory to be, |
21 |
|
22 |
* Writable by the client (their developers) |
23 |
* Writable by your web developers |
24 |
* Readable by the Apache user |
25 |
|
26 |
You can't make Apache a member of the group that has write access, so |
27 |
while I haven't been real careful, I don't think you can make that |
28 |
extremely common situation work. Every law office |
29 |
(attorney/paralegal/secretary) and small business needs something |
30 |
similar and it just can't be done. |
31 |
|
32 |
ACLs also won't work, because nobody ever made default ACLs do the right |
33 |
thing. Everything in the "acl" directory should be rwx by the "apache" |
34 |
user below (that's what the setfacl does): |
35 |
|
36 |
$ mkdir acl |
37 |
$ cd acl |
38 |
$ setfacl -d -m user:apache:rwx . |
39 |
|
40 |
But, it's not! Just copy any file in, and see what happens: |
41 |
|
42 |
$ cp /etc/profile ./ |
43 |
$ getfacl profile |
44 |
# file: profile |
45 |
# owner: mjo |
46 |
# group: mjo user::rw- |
47 |
user:apache:rwx # effective:r-- |
48 |
group::r-x # effective:r-- |
49 |
mask::r-- |
50 |
other::r-- |
51 |
|
52 |
The write and execute bits are masked, so your website crashes, because |
53 |
Apache can't write that file (or traverse it, if we did the same |
54 |
experiment with a directory). |
55 |
|
56 |
The problem above is that most common tools will do something braindead |
57 |
in the presence of ACLs, and attempt to preserve the existing group |
58 |
bits. Even though, when there are ACLs around, those group bits don't |
59 |
signify group permissions. |
60 |
|
61 |
To make ACLs do the right thing, you need to run |
62 |
sys-apps/apply-default-acl on every file that the users create, so that |
63 |
the default ACLs get applied by default (craaazzzyyy). You can do that |
64 |
in a cron job like Alan suggested, or I've hacked tar, cp, mkdir, etc. |
65 |
to run it automatically on all of our servers. |
66 |
|
67 |
Why do I need to hack coreutils to share a directory between three |
68 |
people? The ACL/coreutils people don't really see this as a problem. |
69 |
They say, tell your paralegal to RTFM and set the permissions how he |
70 |
wants them. (It will take you about a week to read the man pages for ACLs.) |