GNHLUG> Main Web>LocalTWikiDocs>TWikiPerms (2023-12-28, BenScott) EditAttach

Permissions and File Ownership

This page documents file and directory ownership and permissions for the TWiki installation on this server. Relevant only to those ServerPeople with SSH access.

See also: TWikiMods, TWikiFiles

Permission Modes

Files intended to be writable by TWiki generally www-data:www-data ownership with ug=rw permissions. If the files are intended for public consumption (directly by Apache, or through a CGI script), they also have o=rX permission. Some files are not intended for public consumption (scratch files, TWiki password database, etc.), and so have no permission granted to others (and are excluded from nominally served paths in Apache).

Files intended to be readable by TWiki and/or the public, but which do not need to writable by TWiki, are owned by root or a TWiki admin, with group ownership of gnhlugweb, and permission like ug=rwX,g+s,o=rX. Thus, even if the Apache and/or TWiki process/user is compromised, the attacker will not be able to tamper with these files without additional exploitation. The group write and sticky bit allows any admin in the gnhlugweb group to work on these files.

See TWikiFiles for the permissions applied to specific directories and files.

Process Ownership

The web server (Apache) runs as user www-data and group www-data. The CGI scripts that make up the entry points into TWiki are also run as this user/group.

There is a group gnhlugweb which is not used by Apache. It is, in fact, used to grant admins the permissions to modify things, without granting Apache any write permission to any of it.

There is a user and group pair gnhlugtwiki which is not currently used for anything. It was part of a failed attempt to have TWiki run as a separate user. It may be resurrected some day.

File User-Ownership

TWiki file user-ownership has the following implications:

root Distributed with stock TWiki, unchanged, no write by TWiki
admins Modified locally, no write by TWiki
www-data Created/maintained by TWiki scripts

In the above, admins means "any local TWiki admin". Currently, that is just BenScott, but hopefully it will be more people some day.

File Group-Ownership

TWiki file group-ownership has the following implications:

gnhlugweb Modifiable by local admins, no write by TWiki
www-data Created/maintained by TWiki scripts
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2023-12-28 - BenScott
 

All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).