[lug] apache vhost / php perms
Hugh Brown
hugh at math.byu.edu
Thu Apr 17 05:51:30 MDT 2008
George Sexton wrote:
>
>
> Hugh Brown wrote:
>> George Sexton wrote:
>>> SetGID applied to a directory makes any new directories or files
>>> created in that directory set to the group of the parent directory.
>>>
>>> I don't think it's any particular security issue since it's applied
>>> to the directory, and the only effect is to make any files or
>>> directories owned by the group.
>>>
>>
>> I've done something similar and found that I had to write a cron
>> script that would fix the group permissions and make sure that group
>> had read/execute where appropriate.
>>
>> As a test, I just did:
>>
>> mkdir foo
>> chgrp group2 foo
>> chmod g+s foo
>> cd foo
>> rsync -av remote:s* .
>>
>> ls -l at the foo level had group2 but everything below that level had
>> group1 (which is the default group for the user).
>
> That would be because rsync -a implies rsync -p which preserves the
> permissions of the source.
>
> Call rsync with the explict options -a implies, less -p.
>
My point was more that users are capable of creating files that won't
always get created with the correct group membership and that a periodic
cron job to fix it is worth running in addition to setgid.
Hugh
More information about the LUG
mailing list