While browsing around, I noticed that we may have an issue with file ownership for Trac (but maybe wider): all files in a specific project under /project are owned by the project initiator with the group set to the unix group by the same name (all project files are world readable). This applies to all files, including Trac database.
The problem arises when Trac (running as www-data under the http server) wants to modify the Trac database in the project. Since the user and group are set to values other than www-data, it can't write to the database file.
In the specific case of Trac, this may probably be solved by running it against a postgresql backend instead of sqlite. However, possibly, other services [provided now or in the future] may require write access too. What's the usual way to solve this issue? Do people add the www-data user to all project groups? That doesn't seem right from the security perspective.
Bye,
Erik.
On 4/17/11 3:35 PM, Erik Huelsmann wrote:
While browsing around, I noticed that we may have an issue with file ownership for Trac (but maybe wider): all files in a specific project under /project are owned by the project initiator with the group set to the unix group by the same name (all project files are world readable). This applies to all files, including Trac database.
FWIW, the Trac directory and subdirectories for cmucl have a gid of www-data. I don't know if I did that or if someone else did that. Same is true for the f2cl project.
Ray
Hi Erik,
did you see the two reports of users having file permission related problems?
-Hans
On Sunday, April 17, 2011, Erik Huelsmann ehuels@gmail.com wrote:
While browsing around, I noticed that we may have an issue with file ownership for Trac (but maybe wider): all files in a specific project under /project are owned by the project initiator with the group set to the unix group by the same name (all project files are world readable). This applies to all files, including Trac database.
The problem arises when Trac (running as www-data under the http server) wants to modify the Trac database in the project. Since the user and group are set to values other than www-data, it can't write to the database file.
In the specific case of Trac, this may probably be solved by running it against a postgresql backend instead of sqlite. However, possibly, other services [provided now or in the future] may require write access too. What's the usual way to solve this issue? Do people add the www-data user to all project groups? That doesn't seem right from the security perspective.
Bye,
Erik.
clo-devel mailing list clo-devel@common-lisp.net http://common-lisp.net/cgi-bin/mailman/listinfo/clo-devel
-
Erik Huelsmann -
Hans Hübner -
Raymond Toy