We have a Linux box running Ubuntu 10.04. It's primary function is a web server and it is configured with (I think) a conventional LAMP stack.

Developers have access to a common directory "dev" which contains a sub directory which serves as the web root. All developers have individual SSH access.

When developers create files in the "dev" directory tree, or pull files into "dev" from a repository we want the file permissions to be rwxrwxr-x. Instead newly created files have permissions of rw-r--r--. By modifying ACLs and setting group and user id on "dev" with sticky bits etc. I have managed to get newly created files with permissions of rw-rw-r--.

I assume the problem is down to the umask configuration which is currently set using the global value of 022 in /etc/profile. I don't want to change the umask globally or for each developer to allow more relaxed default permissions.

I can't see a way of achieving what we want with ACLs and umask unless I am missing something. Surely this is a fairly common requirement for web developers working on shared projects.

Is there a preferred or recommended approach?

The Unix permissions model relies on the creator of a file being cognizant of others in their group, and setting the permissions and ownership on their files accordingly, within the group structure promulgated by the omnipresent and benevolent root and his wheel oligarchy. This, of course, is hilariously naive, almost to the point of being adorable, but we get what we get.

To effect this on newly-created files, I run a script somewhat like the following, via cron.hourly:

for sitedir in "${groupsitedirs}"
do
    if [ -d "/srv/www/${sitedir}" ]; then
        find /srv/www/${sitedir} \
            \( -path /srv/www/${sitedir}/bin -prune \) -o \
            \( -type f \! -perm 664 -exec chmod 664 "{}" \; \) , \
            \( -type d \! -perm 775 -exec chmod 775 "{}" \; \) , \
            \( \! -group $GROUPNAME -exec chgrp $GROUPNAME "{}" \; \)
    else
        echo "Directory ${sitedir} doesn't exist!"
        EXITSTATE=1
    fi
done

Hourly seems good enough, but this could be fired more often if required. If you feel led to adjust the find conditions, be very mindful of the punctuation and order of operations. I usually break it every time I try to adjust something.

(... ok, hoopycat; put the dictionary down, stfu, and gbtw...)

_________________

/* TODO: need to add signature to posts */

Thank you hoopycat for your eloquent and articulate reply.

I had read elsewhere about setting up a cron job to modify file permissions but was hoping to avoid this. We will be pulling files into a live web root, so incorrect file permissions would break the site until the next time the cron job executed the script.

Having given this some more thought I'm not sure whether file actually need rwxrwxr-x permissions. It may be that rw-r--r-- are enough.

I will do some testing and report back.

I thought it was very well written.

It depends on the language, but 0644 or 0664 (-rw-r?-r---) should work fine for most files. The trick is that the actual program being executed by the system needs to be executable, but for Apache+mod_php, that's just /usr/sbin/apache2. Everything else gets read and interpreted, not "executed."

You might notice my find command prunes out a bin/ directory... I end up running a lot of Python-based apps within virtualenv containers, and each virtualenv container has its own copy of the python executable. That needs to be executable, as I found out very quickly. Everything else is fine, however.

jzimmerlin: Never assign a paper to me without a firm time and word/page limit. Never. I'm a very weird student.

_________________

/* TODO: need to add signature to posts */

I rarely give out homework assignments these days, but now I will be extra careful not to when it comes to you

Turns out permissions of 664 are adequate. Thanks for the help and advice.