Make sure the webserver can reach the installation directory #3096
Conversation
vmcj
force-pushed
the
fix_facls_non_standard_dir
branch
from
ab98a12 to
b7973cb
Compare
vmcj
force-pushed
the
fix_facls_non_standard_dir
branch
2 times, most recently
from
7f4fcde to
2094a5d
Compare
Makefile
Outdated
| chcon -R -t httpd_sys_rw_content_t $(CURDIR)/webapp/public/images; \ | ||
| chcon -t httpd_exec_t $(CURDIR)/lib/alert; \ | ||
| fi | ||
| while [ `pwd` != "/" ]; do \ |
There was a problem hiding this comment.
Is there a reason why we need to list contents up to the root? I'd assume only starting from the installation path should be enough. I would prefer not changing permissions on system-defined directories.
There was a problem hiding this comment.
Some programs are executed using the full absolute path. If any component of that path is not traversable (x permission) then it will fail.
But I do agree that we should be careful modifying stuff above the installation directory, so I'd say at least a warning if changing that would be in order.
There was a problem hiding this comment.
Is there a reason why we need to list contents up to the root? I'd assume only starting from the installation path should be enough. I would prefer not changing permissions on system-defined directories.
I needed it on my setup where o has no x bit set on any directory. We wouldn't touch system-defined directories.. we only add an additional ACL which allows the webserver to follow the path.
The main problem is that doing the su to the www-data to check if it has access is quite hard and might often not allowed. So we either need to make this explicit like we have here or would need to come up with a nice test which might do interactive things which is not allowed for that account.
There was a problem hiding this comment.
I'll take the setfacl out which goes out of the installation path. We can discuss it in another PR.
vmcj
force-pushed
the
fix_facls_non_standard_dir
branch
from
2094a5d to
5ef5b96
Compare
vmcj
force-pushed
the
fix_facls_non_standard_dir
branch
from
5ef5b96 to
827c453
Compare
5 participants
My current maintainer-install is on a very non standard location and didn't work. I think some of the ACLs were implied by standard FHS but it's better to make them explicit IMO.
I wonder why the
$(CURDIR)/etc/domserver-static.php"never broke as it's clearly needed but hasn't been allowed if I understand thegit logcorrectly.