i've finally pinpointed the problem i was having on centos.
apache does this:
apache is part of the myusername group.
with these permissions, i can properly access the test repository through apache.
with these permissions, i cannot properly access the test repository through apache.
why not? since when does a unix-like os inherit permissions?
apache does this:
<Location /test> DAV svn SVNPath "/home/myusername/test" </Location>
apache is part of the myusername group.
$ ls -la /home/myusername drwxrwx--- 3 myusername myusername 4096 Nov 17 04:34 . drwxr-xr-x 7 apache apache 4096 Nov 17 04:28 test
with these permissions, i can properly access the test repository through apache.
$ ls -la /home/myusername drwx------ 3 myusername myusername 4096 Nov 17 04:34 . drwxr-xr-x 7 apache apache 4096 Nov 17 04:28 test
with these permissions, i cannot properly access the test repository through apache.
why not? since when does a unix-like os inherit permissions?
the directory needs execute perms to allow a transversal.
Also in ubuntu be weary of app armor configs when dealing with stuff like apache access rights.
ok, that makes sense. so it needs execute bits on directories all the way up to root ("/")?
yep.
ah man, i was all excited that a question was posted that i could answer.
next time I'll be sure to simply respond with "first!"
so,
to list a directory, you need x+r on that directory and x on every directory above
to write into a directory, you need x+w on that directory and x on every directory above
why? i thought unix permissions were all about non-inheritance.
in other words, killing an x bit on a directory is a quick way to make everything inside of it (and all of their children) completely inaccessible, correct?
to list a directory, you need x+r on that directory and x on every directory above
to write into a directory, you need x+w on that directory and x on every directory above
why? i thought unix permissions were all about non-inheritance.
in other words, killing an x bit on a directory is a quick way to make everything inside of it (and all of their children) completely inaccessible, correct?
chdir() is a function.
with an x bit you can chdir() a directory path.
without you cannot.
now there are implications for this. but they exist outside of that fundamental logic. they are not beholden to it beyond the limitations of posix standards.
thinking about this... I now have a question. and It's one i may test.
what happens if a pthread is kicked off by root as a new user blah. what if blah has access to the cwd of that thread. BUT, in theory could never transverse to it?
That would eliminate the argument that inheritance implicitly exists. Hell... I dunno that much. Still a lot to learn in this world for me.
with an x bit you can chdir() a directory path.
without you cannot.
now there are implications for this. but they exist outside of that fundamental logic. they are not beholden to it beyond the limitations of posix standards.
thinking about this... I now have a question. and It's one i may test.
what happens if a pthread is kicked off by root as a new user blah. what if blah has access to the cwd of that thread. BUT, in theory could never transverse to it?
That would eliminate the argument that inheritance implicitly exists. Hell... I dunno that much. Still a lot to learn in this world for me.
Not using threads, but...
Interesting that the path is shown simply as "." by the shell, since it can't know where it is.
root ~ $ pwd /root root ~ $ su andre andre . $ pwd . andre . $ ls ls: cannot open directory .: Permission denied
Interesting that the path is shown simply as "." by the shell, since it can't know where it is.
Does CentOS have SELinux?
I spent 3 hours "playing" with SELinux to get SVN to work at the fedora server at work a couple of months ago ...
I spent 3 hours "playing" with SELinux to get SVN to work at the fedora server at work a couple of months ago ...
selinux was open sourced. it's possible it's included. check /etc/sysconfig or something
my default install of centos came with selinux. luckily, it didn't cause any pain.
root@carnagetron:/opt/test/path# chmod 777 deep
root@carnagetron:/opt/test/path# chmod -R 777 deep
root@carnagetron:/opt/test/path# cd ..
root@carnagetron:/opt/test# chmod 770 path
root@carnagetron:/opt/test# cd ..
root@carnagetron:/opt# chmod 700 test
root@carnagetron:/opt# cd test/path/deep/
root@carnagetron:/opt/test/path/deep# su openfly
openfly@carnagetron:/opt/test/path/deep$ ls
openfly@carnagetron:/opt/test/path/deep$ touch hello
openfly@carnagetron:/opt/test/path/deep$ ls
hello
openfly@carnagetron:/opt/test/path/deep$ cat hello
openfly@carnagetron:/opt/test/path/deep$ cd ..
bash: cd: ..: Permission denied
openfly@carnagetron:/opt/test/path/deep$ cd /
openfly@carnagetron:/$ cd /opt/test/path/deep
bash: cd: /opt/test/path/deep: Permission denied
openfly@carnagetron:/$
Inheritance? What inheritance?
root@carnagetron:/opt/test/path# chmod -R 777 deep
root@carnagetron:/opt/test/path# cd ..
root@carnagetron:/opt/test# chmod 770 path
root@carnagetron:/opt/test# cd ..
root@carnagetron:/opt# chmod 700 test
root@carnagetron:/opt# cd test/path/deep/
root@carnagetron:/opt/test/path/deep# su openfly
openfly@carnagetron:/opt/test/path/deep$ ls
openfly@carnagetron:/opt/test/path/deep$ touch hello
openfly@carnagetron:/opt/test/path/deep$ ls
hello
openfly@carnagetron:/opt/test/path/deep$ cat hello
openfly@carnagetron:/opt/test/path/deep$ cd ..
bash: cd: ..: Permission denied
openfly@carnagetron:/opt/test/path/deep$ cd /
openfly@carnagetron:/$ cd /opt/test/path/deep
bash: cd: /opt/test/path/deep: Permission denied
openfly@carnagetron:/$
Inheritance? What inheritance?
VICTORY!!!!
root@carnagetron:/opt/test/path/deep# su openfly
openfly@carnagetron:/opt/test/path/deep$ touch /opt/test/path/deep/test2
touch: cannot touch `/opt/test/path/deep/test2': Permission denied
Just to finish off the proof.
openfly@carnagetron:/opt/test/path/deep$ touch /opt/test/path/deep/test2
touch: cannot touch `/opt/test/path/deep/test2': Permission denied
Just to finish off the proof.