Discussion:
[Manual] Dynamic content
Tanguy Ortolo
2010-03-09 10:54:49 UTC
Permalink
Hello,

For permission settings, the Webapps Policy Manual draft covers the
cases of static configuration files and application-modifiable
configuration.

I suggest to explicitely cover the following cases for both filesystem
paths and permissions:
* application content (e.g. application code);
* administrator provided application content (e.g. plugins or
extensions);
* user uploaded content (e.g. wiki pages);
* application configuration.

Some webapps allow online addition of plugins, which is not currently
covered.

Is there a repository I could clone/checkout to prepare a patch for the
Manual draft?

Regards,
--
Tanguy Ortolo
Tanguy Ortolo
2010-03-09 11:11:49 UTC
Permalink
Post by Tanguy Ortolo
I suggest to explicitely cover the following cases for both filesystem
* application content (e.g. application code);
* administrator provided application content (e.g. plugins or
extensions);
* user uploaded content (e.g. wiki pages);
* application configuration.
To describe my suggestion with more details:
arch-indep app content /usr/share/PACKAGE 0755 root:root
arch-dep app content /usr/lib/cgi-bin/PACKAGE 0755 root:root
admin-provided app content /var/lib/PACKAGE/[plugins] 0755 root:root
admin-uploaded app content /var/lib/PACKAGE/[plugins] 0775 root:www-data
user-uploaded content /var/lib/PACKAGE/[userdata] 0755 www-data:root
persistent app data /var/lib/PACKAGE/[appdata] 0755 www-data:root
cached app data /var/cache/PACKAGE 0755 www-data:root
configuration /etc/PACKAGE 0755 root:root
web-modifiable configuration /etc/PACKAGE 0775 root:www-data

Permissions being adapted for file – remove the x bit – and for sensitive
data – remove rx bits from others –. For instance, a web-modifiable
password file could be 0660 root:www-data, and the data directory of a
wiki that supports access control could be 0770 www-data:root.
--
Tanguy Ortolo
Continue reading on narkive:
Loading...