Tuesday, February 17, 2009

ACLs for serving websites from a ZFS filesystem (Sol)

Having your web servers backed by a zfs filesystem allows for the setting of ACL's to allow for permissions propagation. This is important especially on multi-user web hosting systems where multiple users (minimally the webmaster, the system administrator, and the web server processes) all need to be able to read and often write to web content. Sure, you could do this with simple POSIX group permissions, but often those are too limiting or lead to wider permissions than are desirable. ACLs, while adding some complexity, allow for very specific and controllable permissions to be attached to files. ZFS takes it one step further than POSIX ACLs by enabling granular control over attributes like execution vs. read; write vs. permission changes; append data vs. truncate; even permit or deny the creation of subdirectories. All of these ACL permissions can optionally be set to inherit down within the filesystem structure.

You will need to probably cover two bases: One with read/write permissions to the web server process, where the web server itself need to be able to change or add content, and one that is read only. The site webmaster and system administrator should always have read/write access to their own content. Now because we are lucky enough to know Ben Klang who is a ninja and everyone aspires to be like we get access to his .bashrc file. It has a special wrapper built in that allows use to use to prefix commands like chmod with an s like schmod to have SUN_PERSONALITY exported for you. I would show you guys how to do that but your not ninja's like Ben and he'd probably kill me and all your family members just for thinking about it. So yeah you'll just have to do it in a one liner. SUN_PERSONALITY is only required on Nexenta to invoke the Solaris-bundled versions of `chmod' and `ls'. On a "vanilla" Solaris or Solaris Express system, no such environment variable is necessary.

Read Only
Set only read permissions. This is useful for setting as the default on the entire website and then applying the below read/write permissions to only the applicable folders.

#> SUN_PERSONALITY=1 chmod A+group:www-data:read_data/execute:file_inherit/dir_inherit:allow

Read / Write
Set read/write permissions so they propagate down as well. This is useful for a toplevel writeable directory.

#> SUN_PERSONALITY=1 chmod A+group:www-data:list_directory/read_data/add_file/write_data/add_subdirectory/

#> schmod A+group:www-data:read_data/execute:file_inherit/dir_inherit:allow
#> sls

Readers who read this page, also read:

Bookmark and Share My Zimbio http://www.wikio.com