From 4970bff75aafb11254bd1fe9c352d8b35a9ecfb3 Mon Sep 17 00:00:00 2001 From: Michael Vasseur <14887731+vmcj@users.noreply.github.com> Date: Sun, 21 Sep 2025 11:54:36 +0200 Subject: [PATCH] Allow www-data to store the files from import-contest We set the mask explicit to the most loose configuration to prevent the ACL effectively allowing less than configured. --- Makefile | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ab52706a3f..d6c99df521 100644 --- a/Makefile +++ b/Makefile @@ -256,8 +256,17 @@ inplace-install-l: @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rx $(CURDIR)/webapp" @echo " setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/var" @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/var" - @echo " setfacl -R -m d:m::rwx $(CURDIR)/webapp/var" - @echo " setfacl -R -m m::rwx $(CURDIR)/webapp/var" + @echo " setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/countries" + @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/countries" + @echo " setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/teams" + @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/teams" + @echo " setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/banners" + @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/banners" + @echo " setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/affiliations" + @echo " setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/affiliations" + @echo " setfacl -R -m d:m::rwx $(CURDIR)/webapp/var" + @echo " setfacl -R -m m::rwx $(CURDIR)/webapp/var" + @echo " setfacl -R -m mask::rwx $(CURDIR)" @echo " # Also make sure you keep access" @echo " setfacl -R -m d:u:$(DOMJUDGE_USER):rwx $(CURDIR)/webapp/var" @echo " setfacl -R -m u:$(DOMJUDGE_USER):rwx $(CURDIR)/webapp/var" @@ -285,10 +294,19 @@ inplace-postinstall-permissions: setfacl -R -m u:$(WEBSERVER_GROUP):rx $(CURDIR)/webapp setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/var setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/var + setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/countries + setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/countries + setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/teams + setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/teams + setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/banners + setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/banners + setfacl -R -m d:u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/affiliations + setfacl -R -m u:$(WEBSERVER_GROUP):rwx $(CURDIR)/webapp/public/images/affiliations setfacl -R -m d:u:$(DOMJUDGE_USER):rwx $(CURDIR)/webapp/var setfacl -R -m u:$(DOMJUDGE_USER):rwx $(CURDIR)/webapp/var setfacl -R -m d:m::rwx $(CURDIR)/webapp/var setfacl -R -m m::rwx $(CURDIR)/webapp/var + setfacl -R -m mask::rwx $(CURDIR) if command -v sestatus >/dev/null 2>&1; then \ chcon -R -t httpd_sys_content_t $(CURDIR)/webapp; \ chcon -R -t httpd_config_t $(CURDIR)/etc; \