[Core/Install] Improve UNIX permission usage #5323
Conversation
|
If this is merged, the installation readmes (CentOS, "Install in depth", macOS) should be updated. Since at this time there are many open PRs dealing with these same files, it will be easier to make these changes once those PRs go through. |
maltheism
left a comment
There was a problem hiding this comment.
Awesome this PR solves a "changing permission error" I face with the current install.sh script.
driusan
left a comment
There was a problem hiding this comment.
not actually a change request, just so this doesn't show up in "approved" until the discussion is resolved..
tools/install.sh
Outdated
| mkdir -p ../modules/document_repository/user_uploads | ||
| mkdir -p ../modules/data_release/user_uploads | ||
| mkdir -p -m 770 ../modules/document_repository/user_uploads | ||
| mkdir -p -m 770 ../modules/data_release/user_uploads |
There was a problem hiding this comment.
This doesn't seem to do what the PR description says (not this line, the lines below it where things are still being chown'd to apache.apache)
There was a problem hiding this comment.
You're right. I'll remove them
There was a problem hiding this comment.
Even if group would have RWX on the directories, files created by Apache would have ownership of www-data:www-data and Lorisadmin would not be able to modify/erase them and possibly read them.
Ideally, these .../user_uploads directories should be moved outside of /var/www/$projectname.
|
I strongly suggest symbolic rather than numeric permissions to make things easier to read/interpret at a glance. https://en.wikipedia.org/wiki/Chmod#Symbolic_modes |
|
I disagree.. when talking about absolute permissions, numeric ones are far more common and, as a result, easier to read |
|
The
I think it's alright. I can't really see a scenario where you'd need to do this and wouldn't have sudo. Maybe on some production servers? But in this case it makes sense to have an extra measure against deleting user's files. It's more of an administration question since files uploaded to LORIS shouldn't be under |
|
@johnsaigle The 6 is for the owner of the files (user=>lorisadmin), not for the group. Apache would have group permission (4) and not be able to modify the file. As for the 2nd point, entirely approve. and yes, data should not be with the code. I am just asking if the behavior would cause problem to some process (like shell script). |
|
I believe www-data will be the owner, as you said here:
|
Requested changes were incorporated
requested changes applied
|
@johnsaigle Before I comment on the code, i have a few questions
|
|
@johnsaigle to make this easier |
There was a problem hiding this comment.
This pull request should be rejected. Though some work makes improvement such as "775 to 755" modification, the whole idea is NOT at all acceptable security practice in my eyes. I see really no reason why this modification should go ahead. Moreover, www-data should never be part of lorisadmin, which contains a real user and sudo user, way too dangerous.
@lingma Do not confuse the user |
As @PapillonMcGill mentioned above, the group called |
|
Blocked by #5815 |
|
Well @lingma I think we'll have to agree to disagree here. I am confident that this change simplifies the development experience and doesn't pose a security issue. I've responded to your security concern to the best of my ability and thinking it through carefully I do not think there is a serious risk here. I am happy to leave it to another reviewer to weigh in here and hopefully we'll reach a group consensus with some more input. |
|
Loris as a software product has nothing to do with group permission, this is unnecessary and creating possible problems. Just change all read only files to 644, folders to 755. This will not create any problem in development. I think it will be perfect to put all those web server writable folders some where and tell users what to do with them with a guide. Of course your solution works. I tested without issue, but the idea itself is much out of my taste. |
|
Adding Needs Documentation as a note that I should update the CHANGELOG |
|
wouldn't "Add To Release Notes" be a better reminder? |
|
I ain't touching this one, i think it's getting enough TLC |
PapillonMcGill
left a comment
There was a problem hiding this comment.
changes applied earlier have been reverted.
|
The amount of labels on this PR is impressive. |
Co-Authored-By: PapillonMcGill <34311645+PapillonMcGill@users.noreply.github.com>
Brief summary of changes
This PR improves the way UNIX permissions are used in LORIS.
Summary
Old permissions
lorisadminowns all fileslorisadminhas sudowww-data/apache2selectively owns and is the group for web-writable filesdrwxrwxrwx 2 www-data www-data 4096 Oct 9 16:30 user_uploadslorisadmin775, for directories,664for fileslorisadmincan doNew permissions
lorisadminowns all fileslorisadminhas sudolorisadminis the group for all filesdrwxrwxrwx 2 lorisadmin lorisadmin 4096 Oct 9 16:30 user_uploadswww-data/apache2is part of thelorisadmingroup755for directories,644for files.www-data/apache2access.Why?
More details in #5297. In short:
chgrpto apache2 or www-data userlintiantool causes LORIS to fail because of odd permission codes like775and664. See Change to UNIX file permissions on LORIS install #5057lorisadmin.lorisadmin. Permissions can be tracked using GitHub rather than changed manually.Testing instructions
Links to related tickets (GitHub, Redmine, ...)