[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GMG-Devel] Fwd: Re: Media directory permissions

From: Jim Campbell
Subject: Re: [GMG-Devel] Fwd: Re: Media directory permissions
Date: Tue, 19 May 2015 01:41:45 -0500

Hi ayleph and all,

On Tue, May 12, 2015, at 06:52 PM, ayleph wrote:
> On Sun, May 10, 2015 at 11:06:36AM -0500, Jim Campbell wrote:
> > Looks like I just sent this to ayleph, and not to the list.  Please see
> > below.  Thanks,
> > 
> > Jim
> > 
> > ----- Original message -----
> > From: Jim Campbell <address@hidden>
> > To: ayleph <address@hidden>
> > Subject: Re: [GMG-Devel] Media directory permissions
> > Date: Sun, 10 May 2015 11:05:54 -0500
> > 
> > Hi All,
> > 
> > On Sat, May 9, 2015, at 10:54 PM, ayleph wrote:
> > > Make sure the user which runs the webserver (www-data, http, nobody, or
> > > whatever you have configured) has read access to the full path where the
> > > media is stored.
> > > 
> > 
> > As a follow-up, I sorted-out the issue with my installation. I had set
> > the mediagoblin home directory to /var/lib/mediagoblin, and that's where
> > the media went when it was uploaded. I needed to adjust my nginx
> > configuration to point to that location.
> > 
> > As for the permissions issue, my approach was to create a "developer"
> > group and assign both the mediagoblin user and the www-data user to that
> > group, and then work through giving file read permissions and directory
> > execute permissions to that group. At least that's what I think I did. I
> > had to work through this several times, and even worked with ACLs, so
> > I'm just trying to work out a consistent, agreed-upon way of doing this.
> > 
> > The Gitlab documentation [1] does a good job of taking the user/admin
> > through specific steps to set the proper file and directory permissions,
> > so I want to open up conversation around that so that we can have
> > something like that, too.  I want to get this documented, but I'm not
> > confident that my approach is one that is proper and secure. What was
> > your approach to getting proper permissions on the mediagoblin code and
> > your uploaded content? Is my approach a decent one and one that you'd
> > recommend?
> I would not recommend your approach. You've got some added complexity
> that doesn't really do anything for you. There's no need to create a
> separate group and certainly no need to use ACLs (I don't see other
> packages doing this kind of stuff either). Your mediagoblin user account
> should already be the owner of the files in your media directory, so
> there's no need to add it to another group. As for giving your webserver
> read access, there are a couple of simple ways.
> 1. Change the "group" ownership of your mediagoblin directory to the same
> group as your webserver and set appropriate group read/execute
> permissions.
> 2. Leave the "owner" and "group" set to your mediagoblin user account and
> group, and set the mediagoblin directory world readable (give
> read/execute permission to "other"). If you do this, you probably want to
> remove world read access to specific files/directories (mediagoblin.ini,
> user_dev/crypto, and probably your sqlite db if you have one).
> -- 
> ayleph

I talked about it with Chris today, and we decided to go with the first
option. I've updated the docs to create the mediagoblin system / user
account with 'mediagoblin:www-data' / 'mediagoblin:nginx' permissions.

It almost works. I think I've discovered that the user_dev directory
does not give any permissions to group/other by default. It only gives
permissions to the owner, and I think that is blocking the web server
from accessing the media:

drwx------.  4 mediagoblin nginx        4096 May 19 03:01 user_dev

I understand that user_dev/crypto is important to keep private (so that
would be appropriate to be set as 700), but the above default permission
prevents access to user_dev/media (which is where all of the beautiful
pictures get stored).  Somehow that permission is getting set by default
in that manner during installation. I think that resolving that will fix
media issues.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]