Hello all, I'm in the middle of the migration of an old web-server to a new CentOS. Let me explain how things work now, I have a group of devs that use the same user to work on the sites, this have a problem because we never know who alter witch file. Most of the files on the old web-server are owned like devuser:apache and in the new one I setup LDAP-Auth to get the real users but the problem that I see here is this: All users of the devgroup should change/delete/create files So if I have a file owned userA:devgroup and so on since every dev belongs to the devgroup this will work fine but then I have to put the user apache on the mix, right? Some sites have to write files so in that case I have a problem because i will have a file owned userA:devgroup and for apache write it I have to make it world write. My english is a lilte lame I dunno if I explain myself correctly here, but how do you manage this types of permissions? Thanks Regards, -- Ricardo
On Tue, 10 Jan 2006 at 5:28pm, RNuno wrote> All users of the devgroup should change/delete/create files > > So if I have a file owned userA:devgroup and so on since every dev > belongs to > the devgroup this will work fine but then I have to put the user apache > on the mix, right? > > Some sites have to write files so in that case I have a problem because > i will > have a file owned userA:devgroup and for apache write it I have to make > it world write. > > My english is a lilte lame I dunno if I explain myself correctly here, > but how do you > manage this types of permissions?Read up on ACLs and default ACLs -- 'man setfacl' is a good starting point. ext3 supports ACLs if you mount with the 'acl' option. If you go this route, you want to make sure your backups get the ACLs. Only the most recent version of dump backs up ACLs, and tar does not. -- Joshua Baker-LePain Department of Biomedical Engineering Duke University
On Tue, 10 Jan 2006, RNuno wrote:> Hello all, > > I'm in the middle of the migration of an old web-server to a new > CentOS. Let me explain how things work now, I have a group of devs > that use the same user to work on the sites, this have a problem > because we never know who alter witch file. > > Most of the files on the old web-server are owned like > devuser:apache and in the new one I setup LDAP-Auth to get the real > users but the problem that I see here is this: > > All users of the devgroup should change/delete/create files > > So if I have a file owned userA:devgroup and so on since every dev > belongs to the devgroup this will work fine but then I have to put > the user apache on the mix, right? > > Some sites have to write files so in that case I have a problem > because i will have a file owned userA:devgroup and for apache write > it I have to make it world write.My suggestions, for what their worth: 1. Files that Apache needs only to read, chown root:devgroup ... chmod 664 ... 2. Files that Apache *and* the devgroup needs to write chown apache:devgroup ... chmod 660 ... 3. Files that Apache *but not* the devgroup needs to write chown root:apache ... chmod 660 ... -- Paul Heinlein <> heinlein at madboa.com <> www.madboa.com
Seemingly Similar Threads
- Linux server, Win2k client: Almost works, what am I missing?
- Can't access a linux server using a Win2K client
- [ANNOUNCE]: Release of iptables-1.4.11
- [Bug 985] New: iptables-save cannot display devgroup rule the right way?
- Best Pratice for installing samba package in production environment