TWikiPerms < Main

Main Web>LocalTWikiDocs>TWikiPerms (2025-03-10, BenScott) (raw view)

---+ Permissions and File Ownership

This page documents file and directory ownership and permissions for the TWiki installation on this server.  Relevant only to those Org.ServerPeople with SSH access.

See also: TWikiMods, TWikiFiles

---++ Permission Modes

Files intended to be writable by TWiki generally have ownership =www-data:www-data= with =ug=rw= permissions.  If the files are intended for public consumption (directly via Apache, or through a CGI script), they also have =o=rX= permission.  Some TWiki files are not intended for public consumption (scratch files, TWiki password database, etc.), and so have no permission granted to others (and are excluded from  paths nominally served in Apache).

Files intended to be readable by TWiki and/or the public, but which do *not* need to *writable* by TWiki, are owned by =root= or a TWiki admin, with group ownership of =gnhlugweb=, and permissions like =ug=rwX,g+s,o=rX=.  Thus, even if the Apache and/or TWiki process/user is compromised, the attacker will not be able to tamper with these files without additional exploitation.  The group write and sticky bit allows any admin in the =gnhlugweb= group to work on these files.

See TWikiFiles for the permissions applied to specific directories and files.

---++ Process Ownership

The web server (Apache) runs as user =www-data= and group =www-data=.  The CGI scripts that make up the entry points into TWiki are also run as this user/group.

There is a group =gnhlugweb= which is not used by Apache.  It is, in fact, used to grant admins the permissions to modify things, without granting Apache any write permission to any of it.

There is a user and group pair =gnhlugtwiki= which is not currently used for anything.  It was part of a failed attempt to have TWiki run as a separate user.  It may be resurrected some day.

---++ File User-Ownership

TWiki file user-ownership has the following implications:

| =root=     | Distributed with stock TWiki, unchanged, no write by TWiki |
| _admins_   | Modified locally, no write by TWiki |
| =www-data= | Created/maintained by TWiki scripts |

In the above, _admins_ means "any local TWiki admin".  Currently, that is just BenScott, but hopefully it will be more people some day.

---++ File Group-Ownership

TWiki file group-ownership has the following implications:

| =gnhlugweb= | Modifiable by local admins, no write by TWiki |
| =www-data=  | Created/maintained by TWiki scripts           |

Topic revision: r4 - 2025-03-10 - BenScott

Main

Site Tools
Search site
Site changes

Webs
GNHLUG
Main
Org
TWiki

Contact GNHLUG

All content is Copyright © 1999-2025 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).