Le mardi 09 mars 2010, Tanguy Ortolo a écrit : > I suggest to explicitely cover the following cases for both filesystem > paths and permissions: > * application content (e.g. application code); > * administrator provided application content (e.g. plugins or > extensions); > * user uploaded content (e.g. wiki pages); > * application configuration. To describe my suggestion with more details: arch-indep app content /usr/share/PACKAGE 0755 root:root arch-dep app content /usr/lib/cgi-bin/PACKAGE 0755 root:root admin-provided app content /var/lib/PACKAGE/[plugins] 0755 root:root admin-uploaded app content /var/lib/PACKAGE/[plugins] 0775 root:www-data user-uploaded content /var/lib/PACKAGE/[userdata] 0755 www-data:root persistent app data /var/lib/PACKAGE/[appdata] 0755 www-data:root cached app data /var/cache/PACKAGE 0755 www-data:root configuration /etc/PACKAGE 0755 root:root web-modifiable configuration /etc/PACKAGE 0775 root:www-data Permissions being adapted for file – remove the x bit – and for sensitive data – remove rx bits from others –. For instance, a web-modifiable password file could be 0660 root:www-data, and the data directory of a wiki that supports access control could be 0770 www-data:root. -- Tanguy Ortolo
Attachment:
signature.asc
Description: Digital signature