[MKDoc-dev] File permissions after installation
Bruno Postle
bruno at mkdoc.com
Thu Sep 30 16:02:20 BST 2004
Historically, MKDoc has been installed on dedicated systems with no
untrusted system accounts.
To make installation simpler, some directories are made world
writable and the database connection details are made world readable
(actually no permissions are set on the database connection file,
this could cause problems on systems with restrictive umasks)
Ideally, a post-installation script run by root would make these
files only accessible to the apache user - This script doesn't exist
yet, so I've added these instructions to the INSTALL.TXT file. Any
comments?
Resetting permissions
---------------------
Typically a web-server on a system uses a unique user account, often
this user is called 'nobody' or 'wwwuser'. This means that when
MKDoc itself needs to access files on the filesystem it is going to
be using that system account to do it.
In order to ensure that these files are usable by MKDoc, the site
installation procedure makes some directories usable by anyone on
the system - This needs to be changed if the server has other,
untrusted users.
Find-out which account your web-server uses by looking at the 'User'
and 'Group' directives in the master httpd.conf file.
For example, if your 'User' is 'wwwuser' and your 'Group' is
'wwwgroup', you will need to run these commands as root to make
these directories only writable by the web-server:
chown -R wwwuser:wwwgroup $SITE_DIR/static/files
chown -R wwwuser:wwwgroup $SITE_DIR/static/images
chown -R wwwuser:wwwgroup $SITE_DIR/data
chown -R wwwuser:wwwgroup $SITE_DIR/cache
chmod -R o-w $SITE_DIR/static/files
chmod -R o-w $SITE_DIR/static/images
chmod -R o-w $SITE_DIR/static/data
chmod -R o-w $SITE_DIR/static/cache
Similarly, the database connection details need only to be readable
by the web-server:
chown wwwuser:wwwgroup $SITE_DIR/su/driver.pl
chmod 0440 $SITE_DIR/su/driver.pl
--
Bruno
More information about the MKDoc-dev
mailing list