Hello, I've got apache running on a centos 5.6 machine. All of my users have a umask of 077 set in /etc/bashrc. I'm now wanting to give several of them permission to write to a web area so they can place content visible to the web server. I've got two groups webdev1 and webdev2 which I want one to be able to write to site1 and the other to site2. I've got between 3 and 5 users in each group. I'd prefer not to mess with these users umask settings, but want the correct permissions and ownerships user:webdev1 or user:webdev2 where user is the username of the person who placed the file. Permissions I believe should be 664 so apache can read the files.
I'm wondering if I need to look in to ACLS which I've not used or if there's another solution?
Thanks. Dave.
On Monday 16 May 2011 06:19:49 David Mehler wrote:
Hello, I've got apache running on a centos 5.6 machine. All of my users have a umask of 077 set in /etc/bashrc. I'm now wanting to give several of them permission to write to a web area so they can place content visible to the web server. I've got two groups webdev1 and webdev2 which I want one to be able to write to site1 and the other to site2. I've got between 3 and 5 users in each group. I'd prefer not to mess with these users umask settings, but want the correct permissions and ownerships user:webdev1 or user:webdev2 where user is the username of the person who placed the file. Permissions I believe should be 664 so apache can read the files.
I'm wondering if I need to look in to ACLS which I've not used or if there's another solution?
Thanks. Dave.
It seams obvious... add the apache user to both webdev1 and webdev2 groups and you are done... no need to change umasks and perms :)
Marian
Marian Marinov wrote:
On Monday 16 May 2011 06:19:49 David Mehler wrote:
Hello, I've got apache running on a centos 5.6 machine. All of my users have a umask of 077 set in /etc/bashrc. I'm now wanting to give several of them permission to write to a web area so they can place content visible to the web server. I've got two groups webdev1 and webdev2 which I want one to be able to write to site1 and the other to site2. I've got between 3 and 5 users in each group. I'd prefer not to mess with these users umask settings, but want the correct permissions and ownerships user:webdev1 or user:webdev2 where user is the username of the person who placed the file. Permissions I believe should be 664 so apache can read the files.
I'm wondering if I need to look in to ACLS which I've not used or if there's another solution?
Thanks. Dave.
It seams obvious... add the apache user to both webdev1 and webdev2 groups and you are done... no need to change umasks and perms :)
This would give apache write access to the site contents, which is bad practice.
It also won't solve the umask issue. Since the OP wants all members of webdev1 to have write access to site1, he needs the setgid bit active on site1/ . And he needs all files in site1/ to be 664 as he says. But with a umask 077 for all users, any new file created by a user will be 600. I don't know how to solve that cleanly at file creation (but I don't know ACLs). You could ask your users to try to remember to chmod any new files; and have a find command running in cron regularly to do the chmod when they forget.
On Mon, 16 May 2011, Nicolas Thierry-Mieg wrote:
This would give apache write access to the site contents, which is bad practice.
It also won't solve the umask issue. Since the OP wants all members of webdev1 to have write access to site1, he needs the setgid bit active on site1/ . And he needs all files in site1/ to be 664 as he says. But with a umask 077 for all users, any new file created by a user will be 600. I don't know how to solve that cleanly at file creation (but I don't know ACLs). You could ask your users to try to remember to chmod any new files; and have a find command running in cron regularly to do the chmod when they forget.
ACLs sounds like a perfectly reasonable solution to me. Default ACLs set on a directory apply to files/directories created within it, so there shouldn't be a file creation issue.
A periodic scan from a cron find isn't a bad idea either, as it provides you a mechanism to reimpose correctness even if people do something wrong. I don't think you're likely to find that happens to much with ACLs and most people don't understand how to use them so won't change them ;)
jh
Nicolas Thierry-Mieg wrote:
Marian Marinov wrote:
On Monday 16 May 2011 06:19:49 David Mehler wrote:
Hello, I've got apache running on a centos 5.6 machine. All of my users have a umask of 077 set in /etc/bashrc. I'm now wanting to give several of them permission to write to a web area so they can place content visible to the web server. I've got two groups webdev1 and webdev2 which I want one to be able to write to site1 and the other to site2. I've got between 3 and 5 users in each group. I'd prefer not to mess with these users umask settings, but want the correct permissions and ownerships user:webdev1 or user:webdev2 where user is the username of the person who placed the file. Permissions I believe should be 664 so apache can read the files.
I'm wondering if I need to look in to ACLS which I've not used or if there's another solution?
Thanks. Dave.
It seams obvious... add the apache user to both webdev1 and webdev2 groups and you are done... no need to change umasks and perms :)
This would give apache write access to the site contents, which is bad practice.
It also won't solve the umask issue. Since the OP wants all members of webdev1 to have write access to site1, he needs the setgid bit active on site1/ . And he needs all files in site1/ to be 664 as he says. But with a umask 077 for all users, any new file created by a user will be 600. I don't know how to solve that cleanly at file creation (but I don't know ACLs). You could ask your users to try to remember to chmod any new files; and have a find command running in cron regularly to do the chmod when they forget.
There is an option to set on the directory so any new file when created will have umask of the group or directory owner (something like that). I am yet to test and use this but I found howto somewhere on the net.
Ljubomir
Hi, Thanks to everyone with suggestions thus far. I'm still having difficulties getting this to work. Using find and xargs I can get the permissions on the files and directories what i'm wanting, but adding new ones the umask takes over the group ownership is right but with the 077 it doesn't matter. Thanks. Dave.
On 5/16/11, Ljubomir Ljubojevic office@plnet.rs wrote:
Nicolas Thierry-Mieg wrote:
Marian Marinov wrote:
On Monday 16 May 2011 06:19:49 David Mehler wrote:
Hello, I've got apache running on a centos 5.6 machine. All of my users have a umask of 077 set in /etc/bashrc. I'm now wanting to give several of them permission to write to a web area so they can place content visible to the web server. I've got two groups webdev1 and webdev2 which I want one to be able to write to site1 and the other to site2. I've got between 3 and 5 users in each group. I'd prefer not to mess with these users umask settings, but want the correct permissions and ownerships user:webdev1 or user:webdev2 where user is the username of the person who placed the file. Permissions I believe should be 664 so apache can read the files.
I'm wondering if I need to look in to ACLS which I've not used or if there's another solution?
Thanks. Dave.
It seams obvious... add the apache user to both webdev1 and webdev2 groups and you are done... no need to change umasks and perms :)
This would give apache write access to the site contents, which is bad practice.
It also won't solve the umask issue. Since the OP wants all members of webdev1 to have write access to site1, he needs the setgid bit active on site1/ . And he needs all files in site1/ to be 664 as he says. But with a umask 077 for all users, any new file created by a user will be 600. I don't know how to solve that cleanly at file creation (but I don't know ACLs). You could ask your users to try to remember to chmod any new files; and have a find command running in cron regularly to do the chmod when they forget.
There is an option to set on the directory so any new file when created will have umask of the group or directory owner (something like that). I am yet to test and use this but I found howto somewhere on the net.
Ljubomir _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tuesday 17 May 2011 13:34:10 David Mehler wrote:
difficulties getting this to work. Using find and xargs I can get the permissions on the files and directories what i'm wanting, but adding new ones the umask takes over the group ownership is right but with the 077 it doesn't matter.
Using setgid on directories will cause group to be preserved on its children (e.g. chmod g+ws dir) but umask controls the permissions. If you don't want to set it to 007 globally or for all users you could create a script they have to source before starting work, or get individual users to add it to their .bashrc.
-
David Mehler -
John Hodrien -
Ljubomir Ljubojevic -
Marian Marinov -
Michael Gliwinski -
Nicolas Thierry-Mieg