1

I have a Ubuntu 10.04 server running nginx with nginx running as user nginx. I'm trying to deploy an Octopress-based site with rsync and have stumbled on what looks like a security dilemma.

Obviously, the whole /srv/www/ directory should be readable by user nginx, and a couple upload directories should be writable by user nginx.

Octopress likes connecting to a server via ssh, which is good. Since I have a sinking feeling about giving nginx remote shell access, I created a special user (deployer) just for that purpose, who is configured to have shell access and is allowed to connect via ssh. Rsync works fine, but all the web files are copied as owned by deployer, and user nginx cannot read them.

I might add user nginx to group deployer and play with rsync's --chmod and -p options to allow nginx/php to write to upload directories, but I'm not sure it won't bite me later. Ideally I think I need a kind of rsync-then-chown&chmod, but I suspect that's a bit too much to ask.

What are the best practices? How do you go about it?

Thanks in advance.

Costique
  • 113
  • 5

1 Answers1

2

This is a basic access problem. You want to have two users with limited access and you want them to share files somehow.

"Traditional" solution is to create new group, put both users there and force somehow that the files are owned by that group. Still you will have problems with write access if you do not set the permissions right and with newly created files. Both is solveable (umask and setuid directories).

The better way that should not bite you later is to dig a little into the structure, see what directories need to be writable by whom and modify the scenario. I.e. if you have cache dir where the nginx user need write to - do not synchronize it via rsync and set up the permissions so nginx can write there.

Last resort would be root script (probably from cron or icron) to "fix" the permissions.

Radek Hladík
  • 600
  • 1
  • 3
  • 14