[BBLISA] Dual access to files by webserver and user.

Ian Stokes-Rees ijstokes at crystal.harvard.edu
Fri Nov 11 11:20:11 EST 2011 

Hi experts,

I'm in a situation where I need on-disk user data to be accessible by a 
webserver process but also by the owners when they ssh into the system.  
My initial ambitious plan for this was to have a "mirror" group for 
every user that contained the user and also the web server daemon user.  
With careful management of who created data and where it was created 
this looked like it was going to work -- the webserver would assert 
access control policies so the data could only be accessed by the owning 
user when coming in through the web interface, and the user when ssh'ed 
in to the system could see all their data but not that of other users.  
NFSv3 and its 12 (or 16?) group membership limit meant this didn't get 
me very far in the end.

I'm now wondering if an alternative might be to have all this 
"dual-access" data owned by "joeblogs" (user) and "webserver" (group) 
(or vice versa), with a default umask of "u=rwx,g=rwx,o=" (0007).  No 
users would be in the "webserver" group, and the webserver user wouldn't 
be in the joeblogs group.  The complexity here: how to 
(easily/practically) get the user and webserver to create files with 
appropriate ownership.

Does anyone have any thoughts or experience with this kind of problem?

I've considered sudo policies for a "give_user_access peterpan 
/path/to/file" script that would:

1. check /path/to/file has "webserver" as the user or group, then do
2. chown -R webserver:peterpan /path/to/file; chmod -R u+rwX,g+rwX 
/path/to/file

and similarly a script "give_webserver_access /path/to/file" that would:

1. check /path/to/file has the current user as the owner or group, then do
2. chown -R `whoami`:webserver /path/to/file; chmod -R u+rwX,g+rwX 
/path/to/file

But neither running these manually nor automatically (cron, on 
login/logout) seems very attractive.

TIA, Ian

-- 
Ian Stokes-Rees, PhD                    W: http://portal.nebiogrid.org
ijstokes at hkl.hms.harvard.edu            T: +1.617.432.5608 x75
NEBioGrid, Harvard Medical School       C: +1.617.331.5993

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20111111/a00fb80b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ijstokes.vcf
Type: text/x-vcard
Size: 403 bytes
Desc: not available
Url : http://www.bblisa.org/pipermail/bblisa/attachments/20111111/a00fb80b/attachment.vcf

More information about the bblisa mailing list