On Mon January 16 2012, Tim Watts wrote: > On 16/01/12 18:53, Michael S. Zick wrote: > > On Mon January 16 2012, Tim Watts wrote: > > > > The easy answer: > > Change the file permissions of the files in the (RO) branch. > > > > Hi Mike, > > Ok, thanks - I guessed that would work... > > I was trying to avoid giving the web server unnecessary permissions, but > I guess I could whack an immutable bit on the files instead. >
??? Say the web server was running as: www-data:www-data Add group webdev Add name image chown the photos as: image:webdev Use group 'webdev' __only__ on the images you protect. add username: www-data to the group webdev. On the directories and files in the image tree, give the group permission of 'write'. As long as none of your users or applications are also a member of the group: 'webdev' or happen to have the user name 'image', it doesn't matter where else the files appear at. Those will be controlled by the permissions given to 'other' field (probably r only for files, xr for directories). A *nix 'group' is a multi entry item, not a single item like a *nix 'name'. Mike > I assume AUFS will not "notice" the immutable bit? > > > It is just that the webserver has *potential* access to the branches > under AUFS (they are NFS exported everywhere) and I'd like to protect > the RO branch against, say, the webserver getting hacked. > > > Cheers :) > > Tim > > ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
