What are the best permission settings to folders and files within a Zend application with public pages and pages only accessible after login?
My guess is:
All folders including modules, controllers, models and views: 755 Everyone can read the directory, but its contents can only be changed by the user.
All files: 644 Only the owner has read and write permissions; the group and others can read only.
For a public folder that allows uploading and deleting users private files: 700,
The private file itself 600.
Is this interpretation just?
I am wondering if permissions for the backend of an application after a user is logged in should better be 750 or even 700 for folders and 640 (or 600?) for files, making them inaccessible for the rest of the world?
The web server's user is the one accessing the file system, not the end user. This is normally www-data for Linux systems running Apache. You should therefore base your permissions on that user/group.
The client however should only have read access to the root of the site, which is the /public folder. The public folder will contain the front-end images, js, css and index.php which is Zend's single point of entry.
Related
I'm a bit confused as to how setting a source works for a script inside an HTML file.
Whenever I use a script, I set the source to something along the lines of:
http://localhost:8080/module_name/module.js
However, when I go through the directory of my server, the location is actually something along the lines of:
modules/module_version2.0/module_name/module.js
How is the client accessing the source file when portions of the directory are emitted?
I think what is throwing you off is the configuration and root of the web-server/website versus the file system of the server.
The URL being read by your browser/client will lead the browser/client to the web-server located at localhost:8080 and the web-server will supply the browser/client with information from that website's root directory for any files/pages that are referenced within the html being used via the tags.
The method of configuring this direction/reference to the root or the document tree of the web-server, varies based on OS and web server setup, but is usually held in a files like httpd.conf; which is the file for Apache.
These configuration files can also have different file locations and aliases setup to create relative paths: i.e. you could have pointers for different locations within the web-server's document tree.
The path example from your server is coming from the perspective of a user account logged in to a machine using some method of exploring the systems local file structure. As such the root directory of that system is the lowest location in the file structure and therefore will show the full path of all the files and directories on that machine.
Where as the web-server/website's root directory in most likely located further away from the systems root.
Hope this helps.
I am developing a script which uses the REST API for an Oracle ZFS Storage appliance ("ZS3"). The script uses the API to make a snapshot and clone of a production environment for use as a temporary test environment. So far everything is great... except I can find no way to specify the "Share Level ACL" settings for the SMB protocol.
A manual (via web ui) clone results in a default ACL of "everyone, full access". The ACL for the original share (source for the snapshot/clone) has a specific user list with specific ACLs. I assume that this information is not in the ZFS snapshot, but maintained outside of ZFS, hence it is not present in the clone (Q: Is this correct?).
I've re-read the Oracle document "E56084.pdf" ("Oracle ZFS Storage Appliance RESTful API Guide, Release 2013.1.4.0") a few times. There are vague references to the "sharesmb" property, and nothing else related to SMB or ACLs. My script correctly sets the "sharesmb" value (used to enabling SMB sharing) to "sharesmb=SHARENAME,abe=off,dfsroot=false" in the JSON payload passed to the API for creating a file system clone. However, I see no property that I can set for the actual ACL list. For NFS, this is easy, it is the value passed in the "sharenfs" property.
The result of a "GET" of the source project and share do not contain any reference to the users listed in the "SMB Share Level ACL" as seen in the web UI.
So, how do I copy over, or explicitly set if necessary, the "SMB Share Level ACLs" on a share via the REST api?
Thanks!
The system has two different kinds of ACLs and both are stored inside your datasets:
ACLs on all files and directories (let's call them file ACLs): These are used for general Unix access and also are active when sharing the filesystem. They are stored with each file or directory (use /usr/bin/ls -V /pool/filesystem/yourFile or /usr/bin/ls -Vd /pool/filesystem/yourDir to see them).
ACLs on filesystems shared via SMB/CIFS protocol (let's call them share ACLs): These are only used when sharing the filesystem and can only be set for the whole filesystem, not individual files inside. Use /usr/bin/ls -V /pool/filesystem/.zfs/shares/yourShareName to see them.
Unfortunately I do not know how to to that over the REST API, but at least you know where your ACLs should end up.
With TYPO3 6.2, my site entirely lives in public_html/mydir, which corresponds to mydir.mydomain.com.
Now I would like to place file storages outside that subdomain / directory, say, public_html/otherdir.
So I tried setting the file storage path to absolute and /home/username/public_html/subdomaindir/public/, as such:
This would result in FAL errors in the backend, no file tree displayed anymore, and the storage going offline.
Can this be done, and if so, how?
And, extra question: If I just set a symlink with
ln -s /home/username/public_html/subdomaindir/public/ /home/username/public_html/mydir/public/
would that (also) work?
My sinatra application is contained in a gem. This means that the assets (css/js) live in the gem. This application writes on the fly generated images and serves them; currently writing into and serving from the public dir.
I prefer to not write the generated images in the gem dir but to a "cache" dir of some sorts under the web-application implementing this gem.
Gem is installed at /var/www/TE/shared/gems/ruby/1.8/gems/tubemp-0.6.0, so assets are at e.g. /var/www/TE/shared/gems/ruby/1.8/gems/tubemp-0.6.0/lib/public/css/.
Gem is deployed in a simple rack-app at /var/www/TE/current/, so I would prefer to write and serve the thumbnails from /var/www/TE/current/public.
However, the setting for a custom public-dir allows only one dir to be set:
set :public_folder, File.join(Dir.pwd, "public")
Breaks the serving of assets; Dir.pwd being the directory of the Rack app. Public is now the dir under the Rack-app, but that is not where the assets are found: they live under the "public" in the gem.
set :public_folder, File.join(gemdir, "public")
Breaks serving of the generated thumbnails.
I could rewrite the application so it serves either the assets or the thumbnails trough Sinatra, but that seems quite some overhead.
Is that the only way? Or is there a way to give Sinatra two or more public dirs to serve its static items from?
I think there's probably a few options, but here's how I got a little app to serve static files from two places, an extension and the main app's public folder:
Directory layout
root/
app.rb
public/images/foo.jpg
lib/sinatra/
gemapp.rb
gemapp/public/images/bar.jpg
The extension
# lib/sinatra/gemapp.rb
module Sinatra
module GemApp
def self.registered(app)
app.set :gem_images, File.expand_path( "gemapp/public/images", File.dirname(__FILE__))
app.get "/images/:file" do |file|
send_file File.join( settings.gem_images, file)
end
app.get "/gemapp" do
"running"
end
end
end
register GemApp
end
The main app
require 'sinatra'
require_relative "./lib/sinatra/gemapp.rb"
get "/" do
"home"
end
It served files fine for me.
I am using the Zend Framework for construction of my site, which uses the application.ini file to store database info (such as username and password). I discovered that typing /application/configs/application.ini in the web browser plainly shows all the contents of the applications.ini file.
How can I prevent this? I tried setting the chmod public access to nothing, but then the website couldn't function anymore because of access rights. Anyone familiar with this?
Your document root setting in your web server configuration should point to the subdirectory that has your index.php in it, not the top-level directory of the whole application install.
E.g., you have something like:
myapp/application/Bootstrap.php
myapp/application/configs/application.ini
myapp/application/controllers/...
myapp/application/views/...
myapp/library/...
myapp/tests/...
myapp/public/index.php
Set your document_root to myapp/public and not myapp.
I solved this problem by writing the following in the .htaccess file:
<Files application.ini>
order allow,deny
deny from all
</Files>
If you don't have access to change your document root and you are using the Apache web server, the "quick and dirty" approach might be to create a ".htaccess" file with the following contents, created in:
/application/configs
Contents:
deny from all