A Note on Setting Permissions in Fedora 20
Suppose we want to install Foswiki not underneath
/var/www
but under
/home/wikis/my_foswiki
which is not traditionally meant to be accessible by the Apache Webserver,
httpd
.
/home/wikis/my_foswiki
must then be made accessible to
httpd
, or more precisely, the user
apache
under which
httpd
is running on Fedora 20 must be able to access and be able to manipulate that filesystem tree.
How to do this:
"Discretionary access control" designates access control through the Unix permissions set on directories and files.
For configuration, we are are using a little script,
foswiki_unix_permission_updater.pl
, which includes two other scripts,
adjustFilesystemV2_functions.pl
and
intro.pl
, all attached (there are probably ways to do that more compactly than using these).
One simply runs it by giving the Foswiki base directory. Assuming the script resides in
/usr/local/toolbox/
:
/usr/local/toolbox/foswiki_unix_permission_updater.pl /home/wikis/my_fowsiki
As you have to run the above as
root
, you may want to eyeball the script first. The legal disclaimer of the
unlicense applies!
Mandatory access control
The SELinux subsystem enforces additional access control rules which do not depend on the Unix permissions are thus are not manageable in a "discretionary manner" by users.
SELinux should be active (The command
selinuxenabled && echo YES || echo NO
should yield
YES
) to preclude processes (in particular, the httpd process) running amok
on the filesystem and issuing undesired operations, either because they are buggy or have been taken over maliciously.
For more on mandatory access control, see:
Again, for configuration, we are are using a little script
foswiki_selinux_permission_updater.pl
, which includes
intro.pl
, as attached.
One simply runs it by giving the Foswiki base directory. Assuming the script resides in
/usr/local/toolbox/
:
/usr/local/toolbox/foswiki_selinux_permission_updater.pl /home/wikis/my_foswiki
As you have to run the above as
root
, you may want to eyeball the script first. The legal disclaimer of the
unlicense applies!