Granting File permissions via Access Control Lists


#1

OK, you might want to call me paranoid after writing this.

For files that contain database connectivity information, I’d like to set permissions to 600, read/write, for user only. If I do this, then the server can’t read the file, and I’m fine with that. What I would then like to do is grant the user dhapache the ability to read the file whithout changing the owner. Typically I would modify the access control list with setfacl, but DreamHost doesn’t have the ACL package installed.

Is there another way to do this?


#2

If you set your website to ‘Run PHP as CGI’, the PHP script will execute with the permissions of your own user and will be able to read the 600 file. ACL permissions will not work on our servers until we update to the next release of Debian some time later this year.

  • Dallas
  • DreamHost Head Honcho/Founder

#3

Dallas,

Thanks for getting back to me on that I appreciate it. Yeah, I knew about running PHP as CGI would take care of it. Thanks for the update on ACL. I’m looking forward to when it’s going to be installed.


#4

It’s been a year. Any word on any planned upgrade?

More importantly, any advice on how to add dhapache to custom groups?


#5

Any idea on when the File Access Control Lists (ACL) permissions will be available?


#6

I’m a Dreamhost customer, but I was shopping for a new managed webhosting service that supports ACLs (Linux setfacl), because (a) I have used acls in the past, and (b) I am increasingly persuaded that what I want to do cannot be done securely using user/group/other legacy UNIX permissions.

Imagine my surprise to see this post. Dreamhost was supposed to get ACLs “later this year” in 2005?

Are we there yet?

I’d really prefer not to have to move webhosting services.


#7

By the way, here is what I want to use ACLs for:

A collection of web services like wiki servers, each running as a separate UNIX user.

Different sets of files, read/write to different subsets of users, and read-only to still different subsets.

Rather basic.

I have done similar stuff using groups. Using a distinct group per read/write group of files, and letting the files be world readable. Obviously falls a bit short, and results in a proliferation of groups. Typically overflowing the usual UNIX limit of 14 groups. Used wash and other tools to sawp groups in and out. (Does DH have such tools? Haven’t checked.)

I have done similar stuff using setuid. But I really dislike setuid.

I have done similar stuff using setgid, to further restrict which programs can access the data.

I rather dislike setgid, because both setuid and setgid require me to write validation code. Which amounts to following an ACL.