hi, On Tue, Mar 02, 2010 at 10:54:33AM +0100, Tanguy Ortolo wrote: > This webapp stores dynamic data – possibly private – on the file system. > I could not find this case on the webapp draft manual (to be added?), > but this directory is currently > www-data:root 0700 /var/lib/dokuwiki/data > > It also includes a page for plugin management, that allows to add > components to the webapp. I think this can be considered as dynamic > data: > www-data:root 0755 /var/lib/dokuwiki/plugins > > Finally, it also includes a web page for configuration management. This > case is documented in the draft manual: > root:www-data 0664 /etc/dokuwiki/local.php i think that all seems pretty reasonable. > However, giving write access to the configuration, and specially to the > plugins – that modify the application behaviour –, seems quite sensitive > to me. In addition, the webapp is still usable and manually manageable > without such rights. So I am thinking about using debconf to ask the > user whether he wants to allow it. For the configuration, it results in > a chown/chmod in the postinst. For the plugins, I think it requires a > dpkg-statoverride. Do you know examples of such uses? i think it's a good idea. i have some vague memory that there's another package in the archive that does something with a script to go back and forth between "editing" and "not editing" modes. i also suspect you can avoid needing to use dpkg-statoverride, if you're only talking about conffiles since their permissions are automatically preserved across updates. sean --
Attachment:
signature.asc
Description: Digital signature