default permissions on MediaWiki uploads directory

[andersk]

(Imported from ​help.mit.edu #418455.)

andersk:

Try running the following commands from Athena. This will grant system:anyuser permission to read the images directory of your wiki (and all its subdirectories).

add scripts
attach 11.306
cd /mit/11.306/web_scripts/shenzhen/images
fssar system:anyuser read

andersk:

Why doesn't our Mediawiki installer do this by default?

jbarnold:

Some users want to restrict access to some or all of their wiki content. I agree that the current situation is not ideal and that we should do something to improve it, if possible.

geofft:

It might be reasonable to use one of the application-reserved AFS bits (A-H) to indicate "serve all files in this folder raw, provided that .htaccess or something doesn't restrict permission on the file". One way to do this would be to let the sketchy AFS patch allow read on the file if both daemon.scripts has one of these bits, and if the current UID is apache's. (Can the AFS patch detect application bits in a decent manner?)

jbarnold:

Files that have been chmod-ed 777 are currently "scripts.mit.edu apache"-readable, which is similar to the behavior that you describe (except that it would be a property of the directory rather than a property of the file).

We could then have our automatic installers set that bit on all "uploads" directories. That might be a good plan -- I'll need to think about it a bit more. What do other people think of this idea?

[adehnert]

Isn't this currently solved by static-cat or something?

[andersk]

static-cat only serves files on its whitelist of extensions.