A Note on Setting Permissions in Fedora 20

Suppose we want to install Foswiki not underneath

/var/www

but under

/home/wikis/my_foswiki

which is not traditionally meant to be accessible by the Apache Webserver, httpd.

/home/wikis/my_foswiki must then be made accessible to httpd, or more precisely, the user apache under which httpd is running on Fedora 20 must be able to access and be able to manipulate that filesystem tree.

How to do this:

Configure "discretionary access control"

"Discretionary access control" designates access control through the Unix permissions set on directories and files.

For configuration, we are are using a little script, foswiki_unix_permission_updater.pl, which includes two other scripts, adjustFilesystemV2_functions.pl and intro.pl, all attached (there are probably ways to do that more compactly than using these).

One simply runs it by giving the Foswiki base directory. Assuming the script resides in /usr/local/toolbox/:

/usr/local/toolbox/foswiki_unix_permission_updater.pl /home/wikis/my_fowsiki

As you have to run the above as root, you may want to eyeball the script first. The legal disclaimer of the unlicense applies!

Mandatory access control

The SELinux subsystem enforces additional access control rules which do not depend on the Unix permissions are thus are not manageable in a "discretionary manner" by users.

SELinux should be active (The command selinuxenabled && echo YES || echo NO should yield YES) to preclude processes (in particular, the httpd process) running amok on the filesystem and issuing undesired operations, either because they are buggy or have been taken over maliciously.

For more on mandatory access control, see:

Again, for configuration, we are are using a little script foswiki_selinux_permission_updater.pl, which includes intro.pl, as attached.

One simply runs it by giving the Foswiki base directory. Assuming the script resides in /usr/local/toolbox/:

/usr/local/toolbox/foswiki_selinux_permission_updater.pl /home/wikis/my_foswiki

As you have to run the above as root, you may want to eyeball the script first. The legal disclaimer of the unlicense applies!
I Attachment Action Size Date Who Comment
adjustFilesystemV2_functions.pl.txttxt adjustFilesystemV2_functions.pl.txt manage 15 K 05 Aug 2014 - 17:42 DavidTonhofer  
foswiki_permission_updater.pl.txttxt foswiki_permission_updater.pl.txt manage 3 K 05 Aug 2014 - 17:49 DavidTonhofer  
foswiki_selinux_permission_updater.pl.txttxt foswiki_selinux_permission_updater.pl.txt manage 956 bytes 05 Aug 2014 - 17:56 DavidTonhofer  
intro.pl.txttxt intro.pl.txt manage 1 K 05 Aug 2014 - 17:43 DavidTonhofer  
Topic revision: r1 - 05 Aug 2014, DavidTonhofer
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy