Opened 14 years ago

Last modified 10 years ago

#13 new enhancement

default permissions on MediaWiki uploads directory

Reported by: andersk Owned by:
Priority: normal Milestone:
Component: autoinstallers Keywords:
Cc:

Description (last modified by andersk)

(Imported from help.mit.edu #418455.)

andersk:

Try running the following commands from Athena. This will grant system:anyuser permission to read the images directory of your wiki (and all its subdirectories).

add scripts
attach 11.306
cd /mit/11.306/web_scripts/shenzhen/images
fssar system:anyuser read

andersk:

Why doesn't our Mediawiki installer do this by default?

jbarnold:

Some users want to restrict access to some or all of their wiki content. I agree that the current situation is not ideal and that we should do something to improve it, if possible.

geofft:

It might be reasonable to use one of the application-reserved AFS bits (A-H) to indicate "serve all files in this folder raw, provided that .htaccess or something doesn't restrict permission on the file". One way to do this would be to let the sketchy AFS patch allow read on the file if both daemon.scripts has one of these bits, and if the current UID is apache's. (Can the AFS patch detect application bits in a decent manner?)

jbarnold:

Files that have been chmod-ed 777 are currently "scripts.mit.edu apache"-readable, which is similar to the behavior that you describe (except that it would be a property of the directory rather than a property of the file).

We could then have our automatic installers set that bit on all "uploads" directories. That might be a good plan -- I'll need to think about it a bit more. What do other people think of this idea?

Change History (6)

comment:1 Changed 14 years ago by andersk

  • Description modified (diff)

comment:2 Changed 14 years ago by price

  • Priority changed from major to minor

comment:3 Changed 12 years ago by adehnert

Isn't this currently solved by static-cat or something?

comment:4 Changed 12 years ago by andersk

static-cat only serves files on its whitelist of extensions.

comment:5 Changed 10 years ago by ezyang

  • Component changed from web to autoinstallers
  • Priority changed from minor to normal

comment:6 Changed 10 years ago by ezyang

  • Type changed from defect to enhancement
Note: See TracTickets for help on using tickets.