Mailinglist Archive: opensuse (929 mails)

< Previous Next >
[opensuse] Re: nginx uid:gid
lynn wrote:
Thanks, that sounds good. We've an app where the devs want to rw stuff
to their public_html folder. Apache writes as wwwrun:www whereas the
13.1 nginx writes as nginx:nginx: they can't edit their files any
longer.
---
I don't see a problem with the way you have it setup -- especially since
in your case, it sounds like nginx is being run *instead* of apache,
so keeping the UID/GID the same as what it was before provides
a more seamless upgrade.

I appreciate having daemons running under their own separate user id
-- and not a generic one for all, since a security problem in one daemon
gives access to all daemons files running under the same UID/GID.
Having each in it's own UID/GID allows for finer access control
as well.


Another way you might think about 'someday', is to use ACL's and
a "default acl" on the directories that can give extended access by
group or user name *OR* just use setGID on the directories and
have their group set to 'www', so all files created in them will
end up in 'www'. Would still need to make sure processes that
execute in those dirs have umasks set to something like 002.

But if what you have works, no need to change it till the next
upgrade... ;-)


(BTW -- To go through all folders and set such bits, (GID or ACLs),
one would likely use 'find' (all files & dirs owned by
'www', for example and pipe that into xargs...but you likely already
know that)).

Cheers...



--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References