• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

What is the best way to give two seperate users access to a file?

Red Squirrel

Red Squirrel

No Lifer
I'm migrating a lot of stuff from my old/main server into a VM and in process trying to follow better security practices such as not having stuff just happen as root all the time.

On particular example is I have a php script that is used to edit spam filters for spamassassin. It's just an utility that makes it easier to blacklist emails, add new keyword rules etc... it then generates a .cf file that spamassassin reads. So the .cf file it generates needs to be writable by apache, but also needs to be readable by the spamassassin user. I could just chmod it 777 or w/e, but I want to do it right. How would I go about giving this kind of access? Or do I not have a choice but to chmod it in such a way that it is world writable? I can probably just make it owned by apache:apache and have it be read only for everyone else, but even that still feels dirty. If it was NTFS it would be simple, just add both users to it and be done.

It's a local server so not a huge deal, but I still prefer to know how to do things right, may as well start this fresh VM off to a good start. The old server had lot of bad habits like all the web apps sql stuff running as root user etc.
 
Last edited:
Would saving the file as apache:spamassassin not work? Then all you need is 640 permissions so it's only accessible to those two groups. You may have to create a third group and make sure that both apache and spamassassin users are part of it and then use that group instead.
 
I was thinking that, seems kinda dirty though, but in this case since it's only 2 users that need access I guess it could work. Though will the apache process have access to change ownership? Since when it creates/modifies the file it will also have to do a chown on it as it will be owned by apache:apache by default.
 
Could you just add the spam assassin user to the apache group?

Or assign a different primary group to the Apache user so it creates files as apache:sharedgroup instead.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top