PyBlosxom permissions headaches: hand edit versus XML-RPC

Generally I use BloGTK via XML-RPC to post here. Sometimes I want to ssh in and hand edit files as well. Occasionally I want to hand create entries and maybe even edit via BloGTK. Either way, permissions become a pain in the ass. Apache runs as user $APACHEU and group $APACHEV (I'm using shell variables rather than revealing the actual names out of bootless paranoia). When I log in, I'm user $UCHE in group $OGBUJIS. Here is the rather brute way I solved part of the problem.

I set the SGID bit on all the directories to which I expect files written through pyblosxom.cgi:

chmod g+s $DATADIR chmod g+s $DATADIR/metadata chmod g+s $DATADIR/comments

I made sure the group of each was $OGBUJIS, of course. So now whenever a new file is created through XML-RPC or some other plug-in, it's created with group $OGBUJIS, and I can happily ssh in to edit as $UCHE.

This doesn't solve the converse problem of using CGI to edit files I created by hand, but this is rare enough that i just log in as root and use chown to sort things out.

Does anyone else have a better way? I thought of Apache suexec, but my past experiences with it have been nightmares of impenetrable detail.

[Uche Ogbuji]

via Copia
1 response
Using ACLs will give you more granular privileges.





I'm working on getting BloGTK fine tuned. I can edit posts as well as delete. Two features I'm looking at is the ability to add new categories and a way to preserve mtime when posts are modified. If I can solve these two problems, then there isn't anything I could do locally on the server that I couldn't do from here. The RPCs should handle it all.