How to assign correct permissions to both webserver and svn?

Question

I've an issue with files ownerships in unix.

I have a drupal website and the "files" folder needs to be owned by "www-data" in order to let the users to upload files with php.

However I'm now using svn and I need all folders and files to be own by "svnuser" in order to work.

So now, I guess I need to add both users to a group with proper permissions. I'm not sure what exactly to do, could you tell me what are the exact necessary steps ?

thanks

Are you saying that 'svnuser' needs to read AND write to these files and directories, or does it just need to read the files and directories? — Stefan Lasiewski, Jan 04 '11 at 17:20
@Stefan Lasiewski I only need to commit them, so I guess it cannot read it... not sure. — aneuryzm, Jan 04 '11 at 17:56

score 1 · Accepted Answer · answered Jan 04 '11 at 19:47

The easiest way to manage this is with access control lists. They allow permissions to be set for as many users and groups as you want, not just one user and one group like the basic unix permissions.

ACLs need to be enabled on the filesystem. With ext[234] or reiserfs, you need to pass the acl mount option. Also make sure you have the ACL utilities installed (acl package on Debian or Ubuntu).

Set an ACL that allows both users to access the files, and set a matching default ACL on directories (the default ACL is inherited by files created in the directory).

setfacl -m user:www-data:rwx -m user:svnuser:rwx -R /path/to/directory/tree
setfacl-d -m user:www-data:rwx -m user:svnuser:rwx -R /path/to/directory/tree

You can set different permissions if you like. The executable bit will be ignored if the file is not made executable through the non-ACL permissions (the ones you set with chmod).

The commands given are for Linux. Many other unix variants support ACLs, but the exact set of available permissions and the utility to set them are not standardized.

You can use groups to control access if you want. Even if you do, ACL have the advantage that you won't run into a umask issue: if you just create a group, you have to ensure that all files and directories are group-writable, which means you have to make sure any process creating a file has a umask of 002 or 007, which in turn may cause permissions elsewhere to be more liberal. So even if you create a group, ACLs are useful.

setfacl -m group:mygroup:rwx -R /path/to/directory/tree
setfacl -d -m group:mygroup:rwx -R /path/to/directory/tree

Note that I make no warranty as to the suitability of this security model to your use case. I'm just providing an implementation.

How to assign correct permissions to both webserver and svn?

1 Answers1

Linked