It would be best practice to do this. Nate is working on packaging
(.deb) and our Anisble setup to accomplish this - getting these
permissions exactly correct I think will be a big part of that effort.

All of that said - if you were really going to pursue this but just
install and use the tool shed normally from the Galaxy webapp it seems
kind of a wasted effort. These dependencies would be installed as the
Galaxy user and run arbitrary code (from a sort of sys admin
perspective). So if I were going to go through this effort I would
probably try to setup a separate configuration and user for installing
things from the tool shed and disable the main Galaxy instance and
user from doing this. That would add considerably to this effort.

Anyway - it is a best practice so I don't mean to discourage it - but
realistically I don't think many Galaxy deployments have gone through
this effort.

-John




On Mon, Jul 20, 2015 at 1:37 PM, lejeczek <pelj...@yahoo.co.uk> wrote:
> hi everybody
>
> I'd like to ask if you think it's worthwhile is pursuing finely grained tree
> permissions? Would this improve security to leave out everything but only
> files/folders necessary for writing - to galaxy user what needs to write
> everything else root?
> Or just full perms to galaxy user on whole tree is the only way?
>
> many thanks.
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>  https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>  http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to