Comments (4)
In my experience with typical Linux/OSX/Solaris systems, it should be acceptable for an unprivileged Unix user to run chmod 1777 {DIR}
as long as they own {DIR}
.
If that's not working, then probably something else in the build process is running as a different user. (Example: maybe someone ran git clone
or git checkout
as root
when it should have run as the unprivileged user.) This type of interaction is problematic with any permission strategy (chmod 1777
or setfacl
or none).
I think it's better policy to avoid sudo
if we can -- so that the user remains truly unprivileged. (AFAIK, granting permission to directly run sudo chmod 1777
essentially lets the user own the entire system.)
Suggestions:
- Make sure that the folders are getting initialized with the intended, unprivileged user.
- Do consider
linuxAcl
orosxAcl
if at all possible. I've never seen a world-writeable policy that actually works well. - If you really do need use a sudo-world-writeable policy, try
amp config:set --perm_type=custom --perm_custom_command='sudo chmod 1777 {DIR}'
from amp.
Thanks, I understand your point and must have botched something in the process.
Rather than worldWritable I am trying to implement a policy that uses the owner set to the current user and the group set to apache. This way I can remove the 'other' permissions and have something slightly more secure. Will report when completed.
from amp.
Ah, nice idea. If you can get it to work, then it could be more reliable than 'worldWriteable' and more portable than linuxAcl
or osxAcl
. OTOH, there may be external fiddly bits (like umask
) to deal with. For purposes of a Vagrantbox (where it uses a special filesystem and where you can edit the provisioning scripts), it could work well (even if it's just --perm_type=custom --perm_custom_command="chgrp ... {DIR}; chown ... {DIR}"
).
from amp.
That's what I thought. I'll give it a try and report back - probably
next week-end as I am slammed this week.
------ Original Message ------
From: "Tim Otten" [email protected]
To: "amp-cli/amp" [email protected]
Cc: "nganivet" [email protected]; "State change"
[email protected]
Sent: 8/29/2016 5:45:04 PM
Subject: Re: [amp-cli/amp] permissions: worldWritable not working for
unprivileged users (#44)
Ah, nice idea. If you can get it to work, then it could be more
reliable than 'worldWriteable' and more portable than linuxAcl or
osxAcl. OTOH, there may be external fiddly bits (like umask) to deal
with. For purposes of a Vagrantbox (where it uses a special filesystem
and where you can edit the provisioning scripts), it could work well
(even if it's just --perm_type=custom --perm_custom_command="chgrp ...
{DIR}; chown ... {DIR}").—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
from amp.
Related Issues (20)
- amp config - Better advice on httpd
- Connection must originate on localhost HOT 3
- Nginx support HOT 3
- Check for Apache mod_rewrite HOT 5
- NginX: Restrict access to sensitive directories
- Is app/defaults/services.yml distributed? HOT 1
- Warning: file_get_contents(http://localhost:7979/index.php): failed to open stream: Connection refused HOT 5
- nginx vhost view doesn't detect whether php is running on a port or a socket. HOT 3
- No random characters at the end of database name HOT 9
- amp config fails for invalid mysql config HOT 10
- amp config failed to read :7979 HOT 6
- Update README.md
- Detect if we're running with encrypted home directories and suggest using AMPHOME instead HOT 3
- Allow longer database names HOT 5
- Make apache vhost config 12 factor friendly HOT 2
- Apache access denied without +x for user home directory
- Explicitly identify common stacks/environments
- Clarity / documentation
- Add ability to pass db user and password when creating (as we do with url etc) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amp.