Using Access Control List for web-development

Who doesn’t know that situation? You’re implementing a feature (e.g.: a file upload :-P) in whatever language you like and when you test it it fails because the web server has no permissions whatsoever to write to that directory. Bummer!

There are quite a few different ways to handle that: chmod 777, chown -R webServer, run the web server as you, suEXEC… but they all bring their own bunch of problems with them (which I won’t pursue in-depth now). The imho most elegant solution are Access Control Lists. With ACLs you get everything you need and when done properly, will render permission problems a thing of the past.

The following commands do basically the same just on two different operating systems. They grant the web-server user (_www/www-data) and me (pubmem) all rights in the directory foo and it’s subdirectories and set default ACL rights that future files/directories will inherit. The last commands (ls and getfacl respectively) allow you to review the ACLs set. For further information regarding the flags RTM.😉
OS X (10.6):

chmod -R +a 'pubmem allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
chmod -R +a '_www allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
ls -led foo

Ubuntu 10.04:

setfacl -R -m u:www-data:rwx,d:u:www-data:rwx,u:pubmem:rwx,d:u:pubmem:rwx foo
getfacl foo

References

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: