[GMG-Devel] Fwd: Re: Media directory permissions

[Jim Campbell]

Looks like I just sent this to ayleph, and not to the list.  Please see
below.  Thanks,

Jim

----- Original message -----
From: Jim Campbell <address@hidden>
To: ayleph <address@hidden>
Subject: Re: [GMG-Devel] Media directory permissions
Date: Sun, 10 May 2015 11:05:54 -0500

Hi All,

On Sat, May 9, 2015, at 10:54 PM, ayleph wrote:
> Make sure the user which runs the webserver (www-data, http, nobody, or
> whatever you have configured) has read access to the full path where the
> media is stored.
> 

As a follow-up, I sorted-out the issue with my installation. I had set
the mediagoblin home directory to /var/lib/mediagoblin, and that's where
the media went when it was uploaded. I needed to adjust my nginx
configuration to point to that location.

As for the permissions issue, my approach was to create a "developer"
group and assign both the mediagoblin user and the www-data user to that
group, and then work through giving file read permissions and directory
execute permissions to that group. At least that's what I think I did. I
had to work through this several times, and even worked with ACLs, so
I'm just trying to work out a consistent, agreed-upon way of doing this.

The Gitlab documentation [1] does a good job of taking the user/admin
through specific steps to set the proper file and directory permissions,
so I want to open up conversation around that so that we can have
something like that, too.  I want to get this documented, but I'm not
confident that my approach is one that is proper and secure. What was
your approach to getting proper permissions on the mediagoblin code and
your uploaded content? Is my approach a decent one and one that you'd
recommend?

Jim

[1] http://doc.gitlab.com/ce/install/installation.html  (see the Redis
(item #6) info as an example of what I'm talking about)