Last modified: 2013-07-24 19:44:20 UTC
A recurring issue for new users seems to be that they need to "take $FILE" as the tool account after uploading/editing a PHP/CGI/etc. file with their Labs account for the web access to work. I think it would be useful to relax suPHP's paranoia a bit. The plan would be: - If a file is under /data/project/$TOOL/{cgi-bin,public_html}: - If the file's group is local-$TOOL: - Execute as user local-$TOOL, group local-$TOOL. In other words, the check that the file's user is local-$TOOL would be removed. AFAICS, suPHP doesn't allow such a configuration at the moment (you only seem to be able to force *all* files in a directory to be executed as a specified user, but then you lose the "file's group = local-$TOOL" check), so coding is probably needed.
yes that would be a good thing
That would destroy any semblance of security if the maintainers make a trivial permission error, because it would allow execution of scripts under the tool's UID that were not put in place by one of its maintainers (allowing, for instance, grabbing project credentials). Group ownership is made automatic by the directories beging SGID (otherwise file would be essentially unmanagable by the maintainers), which means that any file placed in a directory _even by someone not in the group_ will be owned by the group -- and executed as the tool. Having to use take is a minor gotcha that is going to be well documented, and having to take an explicit step to make a script executable from the 'net is a good thing (likewise the requirement that the script be made executable).
