Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ACLs though powerful add additional complexity to the system and do have some limitations discussed further below. You will notice throughout the Bonsai Framework we use ACLs only when absolutely necessary.that I tried and then pretty much gave up on using ACLs. Instead, I am looking at application based virtualization solutions to segregate control.

Limitations

umask - ACLs are only applied generally only during create. More specifically, create(), mkdir(), mknod(), mkfifo(), or open(). Other operations will be limited by what the umask of the user performing the operation such as copy or move. (I need to go into more detail here but this is very very limiting and intuitively not the behaviour most people expect.

...

The scenario is we want to provide website hosting for two different clients, The Daily Planet and LexCorp. Employees from the respective companies will kept in the system under the following groups, wgdailyplanet and wglexcorp. The web server process also plays a factor and uses the group www-data.

User NameAssigned UserGroupWeb Root DirectoryFile AccessDirectory Access
dailyplanet01Clark Kentwgdailyplanet/opt/web/php/dailyplanet.com/Read, Write and ExecuteRead, Write and Execute
lexcorp01Lex Luthorwglexcorp/opt/web/php/lexcorp.com/Read, Write and ExecuteRead, Write and Execute
 Apache Serverwww-data/opt/web/php/dailyplanet.com/
/opt/web/php/lexcorp.com/
ReadRead and Execute (required to transverse directories)
 Staff Usersstaff

/opt/web/php/dailyplanet.com/
/opt/web/php/lexcorp.com/

ReadRead and Execute (required to transverse directories)
 Other  No AccessNo Access

We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server belonging to group www-data also needs access to all the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subsequent directories and files under the respective Web Root Directories to inherit the same permissions.

...

Tip

Notice the base Unix permissions are more open than ideal. This is due to how masking works with ACLs.

DirectoryUnix Permissions for serveradmin:staffACL and ACL DefaultNotes
./web/rwXr-X--Xn/a

Don't need ACLs here. Use Unix permissions "drwxr-x--x   3 serveradmin staff".

./web/php/rwXr-X--Xn/aDon't need ACLs here. Use Unix permissions, "drwxr-x--x 4 serveradmin staff".
./web/php/tmp/rwXr-X---www-data:rwXIn a shared environment lock down. Consider ACLs to make it easy for staff to review.
,/web/php/logs/rwXr-X---www-data:rwXIn a shared environment lock down. Consider ACLs to make it easy for staff to review.
,/web/php/dailyplanet.com/rwXrwX---www-data:rX
wgdailyplanet:rwX 
 
,/web/php/dailyplanet.com/www/rwXrwX---www-data:rX
wgdailyplanet:rwX 
 
,/web/dailyplanet.com/blog/rwXr-X---www-data:rX
wgdailyplanet:rwX 
 
,/web/dailyplanet.com/blog/wp-content/rwXr-X---www-data:rwX
wgdailyplanet:rwX 
In order to install plugins, www-data needs write access.
./web/php/lexcorp.com/rwXr-X---www-data:rX
wglexcorp:rwX 
 
,/web/lexcorp.com/www/rwXr-X---www-data:rX
wglexcorp:rwX 
 
,/web/lexcorp.com/blog/rwXr-X---www-data:rX
wglexcorp:rwX 
 
,/web/lexcorp.com/blog/wp-content/rwXr-X---www-data:rwX
wglexcorp:rwX 
 

All directories will be owned by serveradmin:staff

...