risnidh Posted February 25, 2005 Posted February 25, 2005 Hi, I'm not sure which forum to post this. On the servers, which user is apache run under? I assume it is root. I am trying to install the Moin Moin wiki on a subdomain. I need to grant access to root so that the webserver via (cgi scripts) can read and write files to a certain directory. I dont want to grant access to everyone for security reasons, so I'm trying to use the setfacl command to only grant write access to root. Here is the command I am running from the crontab: setfacl -m user:root:rw- <directory path> the output from the command is : setfacl: <directory path>: Operation not supported (I have replaced the actual directory path in the command with <directory path>) Is setfacl permission disabled for users, or is there another option I need to pass for this command to execute? Thanks for you help, Rich Quote
TCH-Andy Posted February 25, 2005 Posted February 25, 2005 Hi, The script will run as 'nobody' rather than 'root'. If you used the script to install the files, then the owner of the files is typically nobody as well. You can see the owner using most FTP packages. You can also change the permissions using FTP - or the file manager in cpanel. Quote
risnidh Posted February 25, 2005 Author Posted February 25, 2005 Hi, The script will run as 'nobody' rather than 'root'. If you used the script to install the files, then the owner of the files is typically nobody as well. You can see the owner using most FTP packages. You can also change the permissions using FTP - or the file manager in cpanel. <{POST_SNAPBACK}> Thanks, but can I set up the access control list of that directory? I only want the specific user nobody (or whichever user apache belongs) to have read and write access, I don't want to enable it for everyone. getfacl command work, but setfacl gives me the feedback: operation not supported. I am wondering if I have the command syntax wrong, or user just can't use setfacl. Thanks. Quote
risnidh Posted February 25, 2005 Author Posted February 25, 2005 From the Moin Moin Installation help ( http://moinmoin.wikiwikiweb.de/HelpOnInsta...nstanceCreation ) Normal users, on the contrary, need to broaden the permissions of the files, so that the web server can read and write them. On recent Windows versions, and on some versions of Unix, Linux and other systems, access control lists can be used to that effect. They are, however, powerful and complicated, much beyond the scope of this document. Ask a knowledgeable person about them. Without them, normal users have to allow everybody to access the instance directory. This is the only way the web server can enter it and do its work. This is, of course, VERY INSECURE, since any other user and program on the server can read the directory. You should not use such a setup for a wiki open to the public. On Linux, the following commands will open the instance directory to the whole world: chmod -R a+rwX $INSTANCE Note: * it is also possible to put the web server and the normal user in the same group, and then only open the instance directory to the members of that group. This is a bit more secure (depending on who else is in the group), but you need the cooperation of the server administrator; he is the one setting up groups. * the best other possibility is that the server administrator sets up suexec to execute CGI scripts in user directories under the user id of that user. You don't need to give world permissions that way, so it is a quite secure setup, but you also need cooperation of the administrator. I am most interested in the first option, the access control lists. setfacl can accomplish this, and is present on the servers, but it gives the feedback "operation not supported". Quote
TCH-Andy Posted February 25, 2005 Posted February 25, 2005 Hi, Please see the thread on How do I set permissions You can set the permissions for the Owner, the Group or the World. If I understand you correctly - you want to set the permissions to read/ write for the file Owner (nobody) but no write permission for the Group or World. Here are the possible combinations available using these command types : Digit rwx Result 0 --- no access 1 --x execute 2 -w- write 3 -wx write and execute 4 r-- read 5 r-x read and execute 6 rw- read and write 7 rwx read write execute These are typically in the order Owner, Group, World Hence - if you want the Owner to have full access, but the group and world to have only read and execute access you would set it to 755. The command they are saying is insecure is "chmod -R a+rwX $INSTANCE" or setting the directory for all to have read, write and execute access - effectively 777. Quote
MikeJ Posted February 25, 2005 Posted February 25, 2005 Thanks, but can I set up the access control list of that directory? <{POST_SNAPBACK}> We do not currently support ACLs (nor are they fully implemented, hence your "Operation not supported" error). ACL's are relatively new in Linux, and only fully implemented primarily in the latest, not quite production ready, kernels. Quote
risnidh Posted February 25, 2005 Author Posted February 25, 2005 Thanks, I know how to set unix permissions, I'm a long time linux user. I am trying to modify the access control list for specific users which goes above and beyond normal linux permissions. But as I see now, they are not fully supported in your build. Thanks. Quote
TweezerMan Posted February 25, 2005 Posted February 25, 2005 * the best other possibility is that the server administrator sets up suexec to execute CGI scripts in user directories under the user id of that user. You don't need to give world permissions that way, so it is a quite secure setup, but you also need cooperation of the administrator. I use the Simple CGI Wrapper provided in CPanel - it's located under "CGI Center". Click on the "Simple CGI Wrapper" link, and it will create an scgi-bin directory in your public_html directory. Any scripts that you put in the scgi-bin directory and run will be executed with your user ID instead of "nobody". I prefer using this option because I don't end up with the web server creating files in my own account that I don't own (and therefore may not be able to modify or delete). Quote
risnidh Posted February 25, 2005 Author Posted February 25, 2005 Thanks, I'm still investigating some options. Can I manually create a sgi-bin in another directory, say one of my subdomains also? Or is it only the specific one in public_html work. Thanks, Rich Quote
TweezerMan Posted February 25, 2005 Posted February 25, 2005 I don't think that manually creating an scgi-bin directory within a subdomain will work - the Simple CGI Wrapper script does some other things on the server to make it work like it's supposed to. Quote
MikeJ Posted February 25, 2005 Posted February 25, 2005 Acutally the Simple CGI Wrapper is not necessary. Our servers are configured so all cgi scripts run as the account user and not as the webserver user (nobody). PHP scripts run as the web user. Since Moin Moin is CGI based (it's written in Python) you should be ok with owner permissions, as the processes will be running as you. Sorry I didn't add that to my earlier post. I didn't catch that you were trying to run CGI's, and not PHP. Quote
TweezerMan Posted February 25, 2005 Posted February 25, 2005 Acutally the Simple CGI Wrapper is not necessary. Our servers are configured so all cgi scripts run as the account user and not as the webserver user (nobody). PHP scripts run as the web user. I learn something new every day! Thanks, Mike! Quote
MikeJ Posted February 25, 2005 Posted February 25, 2005 I learn something new every day! Thanks, Mike! <{POST_SNAPBACK}> Yea, we should completely remove the Simple CGI Wrapper option from showing up. It's a relic of time's past. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.