Re: [GMG-Devel] Fwd: Re: Media directory permissions

[ayleph]

On Sun, May 10, 2015 at 11:06:36AM -0500, Jim Campbell wrote:
> Looks like I just sent this to ayleph, and not to the list.  Please see
> below.  Thanks,
> 
> Jim
> 
> ----- Original message -----
> From: Jim Campbell <address@hidden>
> To: ayleph <address@hidden>
> Subject: Re: [GMG-Devel] Media directory permissions
> Date: Sun, 10 May 2015 11:05:54 -0500
> 
> Hi All,
> 
> On Sat, May 9, 2015, at 10:54 PM, ayleph wrote:
> > Make sure the user which runs the webserver (www-data, http, nobody, or
> > whatever you have configured) has read access to the full path where the
> > media is stored.
> > 
> 
> As a follow-up, I sorted-out the issue with my installation. I had set
> the mediagoblin home directory to /var/lib/mediagoblin, and that's where
> the media went when it was uploaded. I needed to adjust my nginx
> configuration to point to that location.
> 
> As for the permissions issue, my approach was to create a "developer"
> group and assign both the mediagoblin user and the www-data user to that
> group, and then work through giving file read permissions and directory
> execute permissions to that group. At least that's what I think I did. I
> had to work through this several times, and even worked with ACLs, so
> I'm just trying to work out a consistent, agreed-upon way of doing this.
> 
> The Gitlab documentation [1] does a good job of taking the user/admin
> through specific steps to set the proper file and directory permissions,
> so I want to open up conversation around that so that we can have
> something like that, too.  I want to get this documented, but I'm not
> confident that my approach is one that is proper and secure. What was
> your approach to getting proper permissions on the mediagoblin code and
> your uploaded content? Is my approach a decent one and one that you'd
> recommend?

I would not recommend your approach. You've got some added complexity that 
doesn't really do anything for you. There's no need to create a separate group 
and certainly no need to use ACLs (I don't see other packages doing this kind 
of stuff either). Your mediagoblin user account should already be the owner of 
the files in your media directory, so there's no need to add it to another 
group. As for giving your webserver read access, there are a couple of simple 
ways.

1. Change the "group" ownership of your mediagoblin directory to the same group 
as your webserver and set appropriate group read/execute permissions.

2. Leave the "owner" and "group" set to your mediagoblin user account and 
group, and set the mediagoblin directory world readable (give read/execute 
permission to "other"). If you do this, you probably want to remove world read 
access to specific files/directories (mediagoblin.ini, user_dev/crypto, and 
probably your sqlite db if you have one).

-- 
ayleph