Re: [GMG-Devel] Fwd: Re: Media directory permissions

From: Christopher Allan Webber
Subject: Re: [GMG-Devel] Fwd: Re: Media directory permissions
Date: Wed, 20 May 2015 13:47:45 -0500

Jim Campbell writes:

> Thanks for confirming, Sebastian.
> On Tue, May 19, 2015, at 02:34 AM, Sebastian Hugentobler wrote:
>> > I talked about it with Chris today, and we decided to go with the first
>> > option. I've updated the docs to create the mediagoblin system / user
>> > account with 'mediagoblin:www-data' / 'mediagoblin:nginx' permissions.
>> >
>> > It almost works. I think I've discovered that the user_dev directory
>> > does not give any permissions to group/other by default. It only gives
>> > permissions to the owner, and I think that is blocking the web server
>> > from accessing the media:
>> >
>> > drwx------.  4 mediagoblin nginx        4096 May 19 03:01 user_dev
>> >
>> > I understand that user_dev/crypto is important to keep private (so that
>> > would be appropriate to be set as 700), but the above default permission
>> > prevents access to user_dev/media (which is where all of the beautiful
>> > pictures get stored).  Somehow that permission is getting set by default
>> > in that manner during installation. I think that resolving that will fix
>> > media issues.
>> It definitely does, I am running my instance with these permissions
>> (sorry for not coming forward earlier, I overlooked this thread).
>> I will take a look at my ansible role to see if there's more I forgot to
>> report.
> I would probably recommend permissions of 750 on the user_dev directory.
>  Chris, is this something that you could look at in the code?
> Jim

I'm a-ok with 750 for user_dev for now, yep.

 - Chris

PS: Note that in the glorious future, users will never use a directory
named "user_dev"... the directory was called that because in-project
virtualenv/data type installs were only meant to be for development, and
the naming of such was to make it clear, but since we've never gotten
real distro packaging yet this is the present reality, sadly!

