0

I would like to allow a set of students to access a shared web-server. Students work in groups, and each group's home directory contains a www folder that should be accessible to the shared instance of apache2. For example, if Bob and John are part of group MyPetShop, you would have user john in the john students mypetshop groups. I do not want to grant www-data membership to students, to avoid them messing up other people's pages directly*.

And their home directy would be at /home/students/mypetshop, with /home/students/mypetshop/www being read/write for user www-data. I can achieve this either using

  • a sticky group of www-data for these folders (so that their permissions would be drwxrwsrwx john www-data). This has the problem of john using the wrong permissions for his files, so that bob or www-data cannot access them; or www-data creating files that john and bob can only touch once they fiddle around with permissions for a while.
  • standard group ownership (mypetshop), and an ACL that would allow www-data access to these folders (via setfacl -m d:g:www-data:rwx www).

Would ACLs work here as intended? Are default ACLs automatically inherited in subfolders, or is there some much easier way to set this up that I am missing?.

(*) yes, this is not fool-proof, as they could write www-data-executed phps to do that for them...

Improve this question

1 Answer 1

Reset to default
1

I have implemented the ACL version, and it works like a charm. Students cannot mess up their group permissions using standard SSH/SFTP clients (which are not ACL-aware). Definitely recommended for a shared-hosting, not-very-high-security setup.

The sequence is:

  1. Add the ACL tools setfacl and getfacl (debian/ubuntu package acl)
  2. Add the acl option to the relevant filesystem in your /etc/fstab (filesystems without this mount-option silently ignore any ACLs; this is confusing at best).
  3. Use setfacl to allow user www-data directory traversal access to all /home/stucents/*/www folders
  4. Use setfacl to allow, within each www folder, default (= sticky) read-write-execute access for members of the relevant group, and user www-data

Any file or folder created in a folder with a default ACL will inherit the ACL.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .