Archive for the ‘ Access Control List ’ Category

Using Access Control List for web-development

Who doesn’t know that situation? You’re implementing a feature (e.g.: a file upload :-P) in whatever language you like and when you test it it fails because the web server has no permissions whatsoever to write to that directory. Bummer!

There are quite a few different ways to handle that: chmod 777, chown -R webServer, run the web server as you, suEXEC… but they all bring their own bunch of problems with them (which I won’t pursue in-depth now). The imho most elegant solution are Access Control Lists. With ACLs you get everything you need and when done properly, will render permission problems a thing of the past.

The following commands do basically the same just on two different operating systems. They grant the web-server user (_www/www-data) and me (pubmem) all rights in the directory foo and it’s subdirectories and set default ACL rights that future files/directories will inherit. The last commands (ls and getfacl respectively) allow you to review the ACLs set. For further information regarding the flags RTM. 😉
OS X (10.6):

chmod -R +a 'pubmem allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
chmod -R +a '_www allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
ls -led foo

Ubuntu 10.04:

setfacl -R -m u:www-data:rwx,d:u:www-data:rwx,u:pubmem:rwx,d:u:pubmem:rwx foo
getfacl foo