While browsing around, I noticed that we may have an issue with file
ownership for Trac (but maybe wider): all files in a specific project
under /project are owned by the project initiator with the group set
to the unix group by the same name (all project files are world
readable). This applies to all files, including Trac database.
The problem arises when Trac (running as www-data under the http
server) wants to modify the Trac database in the project. Since the
user and group are set to values other than www-data, it can't write
to the database file.
In the specific case of Trac, this may probably be solved by running
it against a postgresql backend instead of sqlite. However, possibly,
other services [provided now or in the future] may require write
access too. What's the usual way to solve this issue? Do people add
the www-data user to all project groups? That doesn't seem right from
the security perspective.
Bye,
Erik.