CODEWITHSUNDEEP
pythonfilesystemspyramidchmod
BigBoy1337
BigBoy1337

Reputation: 5003

How can I change the permissions on my pyramid/python web apps directories?

Right now my web app has this file structure on my local machine

 env
    tutorial
        tutorial
            templates
                home.pt
            static
                pages
                    1.html
                    2.html
                    3.html
                     ....
            views.py
            __init__.py

the html file under the pages directory are generated by a form. I want to make this pages directory writable, so that users can add html files to it through the app, but make all other directories unwritable and only readable. I have been reading about chmod and it seems like something like 

chmod a+x env/tutorial/tutorial/static/pages

would make that pages directory writable. But how can I make sure that it is only that directory is writable (all others are unwritable and read only)? Would it just be 

chmod a-x env

obviously I would execute this command first. Which directory should I be in when I execute it. And if I correctly do all this on my local machine, will I still be able to develop (add code, ect.) or should I wait until I am all finished. When I put the application on a web server will these permissions be carried over or will I have to do it again differently?

Upvotes: 1

Views: 242

Answers (2)

Sergey
Sergey

Reputation: 12427

In a production environment, a web server usually runs as a non-privileged user, such as www-data or something. Such users usually have no login shell set and own no files on the filesystem, so if a flaw in your application allows an attacker to run arbitrary code on the machine they still can't modify any files.

So, in a production environment, the easiest way to ensure the web server user can not modify any files is to change the ownership of the files to some other user than your webserver's effective user. Your normal login user or root are good candidates:

chown -R bigboy:bigboy /opt/where/my/code/is

or

sudo chown -R root:root /opt/where/my/code/is

the normal umask setting will allow the web server to read the files but won't allow to write anything. Perfect for a typical web-application.

Consequently, to give the webserver write access to some directory, you can change the directory's ownership to the webserver's effective user:

sudo chown -R www-data /opt/where/my/static/directory/is

In a development environment, you usually run the pserve command as your normal login user, so it would be impractical to revoke read permission from your user, as you won't be able to edit any files. The easiest would be to add another user to the system, chown your static directory to that user, open a terminal shell as that user and run the server from there.

sudo chown -R testuser:testuser env/tutorial/tutorial/static/pages
sudo su testuser
env/bin/pserve ...

Alternatively, in a development environment, you can just continue to run everything as your normal login user because you're normally the only person who has access to the server anyway.

Upvotes: 2

Anew
Anew

Reputation: 5502

No, 

chmod a+x env/tutorial/tutorial/static/pages

Sets the execute bit on that directory. What you want is to set the write bit on that directory per the user (or possibly group) that rails will be running as. For the current user, do:

chmod +w env/tutorial/tutorial/static/pages

From the chmod manpage -- have a look at the symbolic mode table at the bottom (Mac OSX):

MODES
 Modes may be absolute or symbolic.  An absolute mode is an octal number constructed from the sum of one or more
 of the following values:

       4000    (the set-user-ID-on-execution bit) Executable files with this bit set will run with effective uid
               set to the uid of the file owner.  Directories with the set-user-id bit set will force all files
               and sub-directories created in them to be owned by the directory owner and not by the uid of the
               creating process, if the underlying file system supports this feature: see chmod(2) and the
               suiddir option to mount(8).
       2000    (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid
               set to the gid of the file owner.
       1000    (the sticky bit) See chmod(2) and sticky(8).
       0400    Allow read by owner.
       0200    Allow write by owner.
       0100    For files, allow execution by owner.  For directories, allow the owner to search in the directory.
       0040    Allow read by group members.
       0020    Allow write by group members.
       0010    For files, allow execution by group members.  For directories, allow group members to search in
               the directory.
       0004    Allow read by others.
       0002    Allow write by others.
       0001    For files, allow execution by others.  For directories allow others to search in the directory.

 For example, the absolute mode that permits read, write and execute by the owner, read and execute by group mem-
 bers, read and execute by others, and no set-uid or set-gid behaviour is 755 (400+200+100+040+010+004+001).

 The symbolic mode is described by the following grammar:

       mode         ::= clause [, clause ...]
       clause       ::= [who ...] [action ...] action
       action       ::= op [perm ...]
       who          ::= a | u | g | o
       op           ::= + | - | =
       perm         ::= r | s | t | w | x | X | u | g | o

Upvotes: 1

Related Questions