Re: bindfs for web docroot - is this sane?

To: debian-user@lists.debian.org
Subject: Re: bindfs for web docroot - is this sane?
From: Richard Hector <richard@walnut.gen.nz>
Date: Wed, 12 Oct 2022 15:55:03 +1300
Message-id: <[🔎] a5476eac-46e8-6236-4201-714a03e545be@walnut.gen.nz>
In-reply-to: <[🔎] efd474e26a7b514053417230c88a196a@der-he.de>
References: <[🔎] 67f2628c-a092-a03b-6912-77ef21dc78a9@walnut.gen.nz> <[🔎] efd474e26a7b514053417230c88a196a@der-he.de>

On 11/10/22 22:40, hede wrote:

On 11.10.2022 10:03 Richard Hector wrote:

[...]
Then for site developers (who might be contractors to my client) to be
able to update teh site, they need read/write access to the docroot,
but I don't want them all logging in using the same
account/credentials.
[...]
Does that sound like a sane plan? Are there gotchas I haven't spotted?


I think I'm not able to assess the bind-mount question, but...

Isn't that a use case for ACLs? (incl. default ACLs for the webserversuser here?)

Yes, probably. However, I looked at ACLs earlier (months ago at least),and they did my head in ...

Files will then still be owned by the user who created them. But yourdefault-user has all (predefined) rights on them.

Having them owned by the user that created them is good foraccountability, but bad for glancing at ls output to see if everythinglooks right.

I'd probably prefer that because - by instinct - I have a bad feelingregarding security if one user can slip/foist(?) a file to be "created"by some other user. But that's only a feeling without knowing all thecircumstances.

They can only have it owned by one specific user, but I acknowledgepossible issues there.

And this way it's always clear which users have access by looking at theACLs while elsewhere defined bind mount commands are (maybe) lesstransparent. And you always knows who created them, if something goeswrong, for example.

Nothing is clear to me when I look at ACLs :-) I do have the output of'last' (for a while) to see who is likely to have created them.

On the other hand, if you know of a good resource for betterunderstanding ACLs, preferably with examples that are similar to my usecase, I'd love to see it :-)

?) I'm not native English and slip or foist are maybe the wrong terms /wrongly translated. The context is that one user creates files and thesystem marks them as "created by" some other user.

Seem fine to me :-) But they're owned by the other user; I wouldn'tassume that that user created them. Especially when that user isn'tdirectly a person.


Thanks,
Richard

Reply to:

Follow-Ups:
- Re: bindfs for web docroot - is this sane?
  - From: <tomas@tuxteam.de>

References:
- bindfs for web docroot - is this sane?
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: bindfs for web docroot - is this sane?
  - From: hede <debian452@der-he.de>

Prev by Date: debugging apt-get
Next by Date: Re: bindfs for web docroot - is this sane?
Previous by thread: Re: bindfs for web docroot - is this sane?
Next by thread: Re: bindfs for web docroot - is this sane?
Index(es):
- Date
- Thread