[ALUG] How to allow easy editing of www-data owned files - or other workarounds?

Chris Green cl at isbd.net
Thu Dec 7 11:40:59 GMT 2017


On Thu, Dec 07, 2017 at 10:47:28AM +0000, steve-ALUG at hst.me.uk wrote:
> On 05/12/17 09:52, Chris Green wrote:
> > I've been trying to find a good solution to this problem for *years*
> > but I'm still hitting problems with it.  The current problem is that
> > syncthing doesn't deal well with directories and files which have
> > different owners on different systems.
> > 
> > The essential problem is that web files which are manipulated by
> > apache need to be owned by www-data but I want to be able to edit
> > these files as well.  In particular I have a wiki where I sometimes
> > edit the files using the wiki (ownership ends up as www-data) and
> > sometimes I edit them directly with an editor (ownership ends up as
> > chris).
> > 
> > Currently I use access control lists (setfacl) to make things so that
> > both chris and www-data can both manipulate files in the wiki
> > directory regardless of whether they are owned by chris or www-data
> > but this isn't a perfect solution as the correct settings don't always
> > get put on new files.
> > 
> > What I really need is:-
> > 
> >      All the wiki files are owned by 'chris' (the wiki is rooted in my
> >      home directory and is synchronised across a couple of machines by
> >      syncthing).
> > 
> >      www-data can read/write/create files in the ~/chris/wiki directory
> >      but they will always be owned by 'chris'.
> > 
> > Can anyone see a way of implementing this?  ... or any other
> > reasonable solution?
> > 
> https://unix.stackexchange.com/questions/115631/getting-new-files-to-inherit-group-permissions-on-linux 
> 
Group permissions don't (quite) do it.  The 'S' bit on group does this
and it was my original attempt at handling the issue.

> 
> Or  change apache's user to chris, or use a file-system-modification watcher
> to look for new files and change their owner, or write a cron job or similar
> to regularly change the file ownership or....
> 
Changing the apache user to 'chris' would be a big risk IMHO, I don't
want all and sundry on the web to have access to my files.  Yes I know
it's not this bad as I don't allow outside access to my web server and
apache also limits access via its configuration but it's a risk I'd
rather avoid.

I looked at the file system watcher approach, possible but would take
quite a lot of work.

A cron job is certainly a possibility, it's simple and probably
effective, the *only* issue is that it might lag behind reality a
little depending on how often you run the cron job.


> you can do this with samba, you may be able to do this with some other
> "mount" options for other filesystems:
> move the wiki directory somewhere else.  Use samba (or other) to mount it in
> the desired subdirectory, BUT use mount options to force user and group to
> be a specific user.  That way, all newly created files will actually be
> owned by the correct user.
> 
I hadn't thought about this possibility, I'll look into what
mount/samba might be able to do, though I don't like using samba/cifs
if I can avoid it, I always find its ways rather arcane.

-- 
Chris Green



More information about the main mailing list