acl sticky bit

Stuart Jansen sjansen at buscaluz.org
Wed Jan 7 12:54:34 MST 2009


On Wed, 2009-01-07 at 12:37 -0700, Kyle Waters wrote:
> I have a web application that I want to restrict access to on the 
> server.  There are a couple of devs that need to have write access and 
> we have an already established group for that.  So all the files belong 
> to that group and the stick bit is set.  I removed all access to the 
> files by world and then set an acl to allow apache to read the file.  
> The problem is that a lot of text editors copy the old file as a back up 
> and then write out the file as new when they save.  That means I lose 
> all of my acls since the stick bit doesn't apply.  I know I can add 
> apache to the group, but that weakens security.  Is there a better 
> solution that I'm not aware of(besides switching text editors)?

Step one: File a bug report. Every decent text editor should know how to
preserve all Unix permissions, ACLs and extended attributes (think:
SELinux).

Just to be clear, when you say sticky bit, you mean "chmod +t" right? I
don't see what preventing non-owners from deleting the file has to do
with allowing Apache access to the file.

Would either making the directory setgid (chmod g+s), or setting default
ACLs (setfacl -m d:...) on the directory meet your needs?

-- 
When you tell me I should give proprietary software a fair technical
evaluation because its features are so nice, what you are actually doing
is saying "Look at the shine on those manacles!" to someone who
remembers feeling like a slave. -- Eric S. Raymond




More information about the PLUG mailing list