Hello all,
I'm in the middle of the migration of an old web-server to a new CentOS. Let me explain how things work now, I have a group of devs that use the same user to work on the sites, this have a problem because we never know who alter witch file.
Most of the files on the old web-server are owned like devuser:apache and in the new one I setup LDAP-Auth to get the real users but the problem that I see here is this:
All users of the devgroup should change/delete/create files
So if I have a file owned userA:devgroup and so on since every dev belongs to the devgroup this will work fine but then I have to put the user apache on the mix, right?
Some sites have to write files so in that case I have a problem because i will have a file owned userA:devgroup and for apache write it I have to make it world write.
My english is a lilte lame I dunno if I explain myself correctly here, but how do you manage this types of permissions?
Thanks Regards, -- Ricardo
On Tue, 10 Jan 2006 at 5:28pm, RNuno wrote
All users of the devgroup should change/delete/create files
So if I have a file owned userA:devgroup and so on since every dev belongs to the devgroup this will work fine but then I have to put the user apache on the mix, right?
Some sites have to write files so in that case I have a problem because i will have a file owned userA:devgroup and for apache write it I have to make it world write.
My english is a lilte lame I dunno if I explain myself correctly here, but how do you manage this types of permissions?
Read up on ACLs and default ACLs -- 'man setfacl' is a good starting point. ext3 supports ACLs if you mount with the 'acl' option.
If you go this route, you want to make sure your backups get the ACLs. Only the most recent version of dump backs up ACLs, and tar does not.
On Tue, 10 Jan 2006, RNuno wrote:
Hello all,
I'm in the middle of the migration of an old web-server to a new CentOS. Let me explain how things work now, I have a group of devs that use the same user to work on the sites, this have a problem because we never know who alter witch file.
Most of the files on the old web-server are owned like devuser:apache and in the new one I setup LDAP-Auth to get the real users but the problem that I see here is this:
All users of the devgroup should change/delete/create files
So if I have a file owned userA:devgroup and so on since every dev belongs to the devgroup this will work fine but then I have to put the user apache on the mix, right?
Some sites have to write files so in that case I have a problem because i will have a file owned userA:devgroup and for apache write it I have to make it world write.
My suggestions, for what their worth:
1. Files that Apache needs only to read,
chown root:devgroup ... chmod 664 ...
2. Files that Apache *and* the devgroup needs to write
chown apache:devgroup ... chmod 660 ...
3. Files that Apache *but not* the devgroup needs to write
chown root:apache ... chmod 660 ...
-
Joshua Baker-LePain -
Paul Heinlein -
RNuno