On 02/06/14 21:49, John Andersen wrote:
On 2/6/2014 12:34 PM, Ted Byers wrote:
Hi John,
On 14-02-06 03:23 PM, John Andersen wrote:
On 2/6/2014 12:01 PM, Ted Byers wrote:
After creating /srv/www/htdocs/misc, I applied 'chrgp www /srv/www/htdocs/misc' and 'chmod 755 /srv/www/htdocs/misc'. I do not know if there is a better option. But what is critical is that Apache can serve the PDF my script has created. Is Apache running as www, or is it running as "nobody"?
In uid.conf, I see the User is set to wwwrun and the Group is www. I would assume, then, that it is running as wwwrun. Is that correct, or does that reveal my ignorance of the linux world. ;-) Well (off the top of my head): if user wwwrun is a member of www, then it restricted to the group permission in that directory, which in your case is read execute.
You need to write in that subdirectory (to create a subdirectory or a file). So it would EITHER need to OWN /srv/www/htdocs/misc, or the Group www would need write authority to that directory. (775)
Someone more accustomed to managing web servers than I could probably recommend best practices. As usual, the answer is: It depends.
If the cache directory is only used by the CGI script, it should be owned by wwwrun. Make sure that the directory is cleaned up regularly, e.g. by a cron job.
If that directory with PDF files is used by another process, too, or if sysadmins need write access to it, than group write access is the better way to go. (Or ACLs, if one is not able to tune group ownership fine-grained enough.) Actually, the directory in question is intended to be more than a cache. The contents are intended to be permanent, once created, and never change. And they are connected to a specific entity, and
Hi Joachim, See below: On 14-02-06 05:21 PM, Joachim Schrod wrote: therefore a subset of the users connected to that entity (owner or selected employees), are authorized to see them after, and only after, they have been created. Only the script in question is ever to write data to that directory. And indeed, only that script creates the web page that gives users access to these files (that is, it checks to see if the file(s) exist, and if so, creates a web page that provides the URLs to get the files. And if they do not exist, and if and only if the user has authorization to create the files, it creates them and then gives the web page that provides the links to access them. If the user is not authorized to create these files, they see only an executive summary, and the button that launches this script is not put on the executive summary page, so that user has no way to even look for the files (I have created a sophisticated permissions system that dynamically carefully controls what each user is able to see and do).
Actually, best practice would be to not create such an intermediate file directory directly accessible by Apache at all, but serve the PDF file from the script. If a cache directory is necessary, it should be somewhere else, not under /srv/www/htdocs/; still owned by wwwrun. Or, for larger and more professional demands, one would use an application server that creates and delivers the PDF documents. (Our Web applications generate, format, and deliver millions of individualized documents per year on each installation; PDFs created dynamically by TeX & friends.)
Best, Joachim
This is actually a relatively simple script. I have a more demanding one involving a script that allows an authorized user to download a substantial amount of data in a CSV file. The quantity of data, though,m can be such that I have to have the database write the data directly to a file which is then read by my script and served to the user. Thus, I need, somehow, to set up a directory to which MySQL (and where would I find out what user mysql runs as) can write and wwwrun can read. BTW: I realize this is a newby question, but all the documentation I have read for chown refers only to files. Does it work on directories also, or is the another command I need to look up? Thanks Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org