Default file permissions in shared dir using ACL and umask
Developers have access to a common directory "dev" which contains a sub directory which serves as the web root. All developers have individual SSH access.
When developers create files in the "dev" directory tree, or pull files into "dev" from a repository we want the file permissions to be rwxrwxr-x. Instead newly created files have permissions of rw-r–r--. By modifying ACLs and setting group and user id on "dev" with sticky bits etc. I have managed to get newly created files with permissions of rw-rw-r--.
I assume the problem is down to the umask configuration which is currently set using the global value of 022 in /etc/profile. I don't want to change the umask globally or for each developer to allow more relaxed default permissions.
I can't see a way of achieving what we want with ACLs and umask unless I am missing something. Surely this is a fairly common requirement for web developers working on shared projects.
Is there a preferred or recommended approach?
6 Replies
To effect this on newly-created files, I run a script somewhat like the following, via cron.hourly:
for sitedir in "${groupsitedirs}"
do
if [ -d "/srv/www/${sitedir}" ]; then
find /srv/www/${sitedir} \
\( -path /srv/www/${sitedir}/bin -prune \) -o \
\( -type f \! -perm 664 -exec chmod 664 "{}" \; \) , \
\( -type d \! -perm 775 -exec chmod 775 "{}" \; \) , \
\( \! -group $GROUPNAME -exec chgrp $GROUPNAME "{}" \; \)
else
echo "Directory ${sitedir} doesn't exist!"
EXITSTATE=1
fi
done
Hourly seems good enough, but this could be fired more often if required. If you feel led to adjust the find conditions, be very mindful of the punctuation and order of operations. I usually break it every time I try to adjust something.
(… ok, hoopycat; put the dictionary down, stfu, and gbtw…)
I had read elsewhere about setting up a cron job to modify file permissions but was hoping to avoid this. We will be pulling files into a live web root, so incorrect file permissions would break the site until the next time the cron job executed the script.
Having given this some more thought I'm not sure whether file actually need rwxrwxr-x permissions. It may be that rw-r–r-- are enough.
I will do some testing and report back.
> (… ok, hoopycat; put the dictionary down, stfu, and gbtw…)
I thought it was very well written.
@dunc:
Having given this some more thought I'm not sure whether file actually need rwxrwxr-x permissions. It may be that rw-r–r-- are enough.
It depends on the language, but 0644 or 0664 (-rw-r?-r–-) should work fine for most files. The trick is that the actual program being executed by the system needs to be executable, but for Apache+mod_php, that's just /usr/sbin/apache2. Everything else gets read and interpreted, not "executed."
You might notice my find command prunes out a bin/ directory… I end up running a lot of Python-based apps within virtualenv containers, and each virtualenv container has its own copy of the python executable. That needs to be executable, as I found out very quickly.
jzimmerlin: Never assign a paper to me without a firm time and word/page limit. Never. I'm a very weird student.
> jzimmerlin: Never assign a paper to me without a firm time and word/page limit. Never. I'm a very weird student.
I rarely give out homework assignments these days, but now I will be extra careful not to when it comes to you