Page 1 of 1

Security and permissions

Posted: Mon Mar 06, 2017 3:23 am
by priel71
Hi Timur, would you mind letting us know a little on how you suggest implementing RULES in terms of permissions and security? I noticed that RULES creates 777 files and directories, for instance when asking it to do a walk or make thumbnails (I guess it's actually user render that creates the .rules folder).

I've been experimenting with having RULES run by http user, and then users and render groups with various permission settings. I'd like to get to a point where there is some security in various folders, for instance, the .rules folders were only removable by certain users. Once a project has been running for awhile, they can hold quite vital data which would be bad to loose (comments, briefs etc).

Would be interested in hearing how you deal with this. I'm hesitant adding ACL or another more fine-grained permission layer on the file-system.

Cheers,

Peter.

Re: Security and permissions

Posted: Thu Mar 09, 2017 4:22 pm
by timurhai
Hi.

GUI (web server and browser) has security and permissions.
But if somebody has some other access to file server
( an artist with a locally mounted project ), there is no security and permissions
from Rules side.
We can remove (or make configurable) umask, to not to create 777 files and folders.
For now we have no deal with it.
Any artist can remove .rules folder from shot, with all comments and so on.
So this folders are hidden and we have not such accidents yet :)

But i understand that this can be an important issue.

You can Apache from a user that will create unaccessible .rules folder, for example.

Re: Security and permissions

Posted: Thu Mar 09, 2017 4:46 pm
by priel71
Haha, yes we do the same here... No accidents so far... But as a paranoid sysadmin I'm always suspecting the worst. Could you maybe let me know where the 0777 settings are for the rules folders and it's contents? I'd like to taka a stab in implementing a decent permission structure here with a few rules that aren't too restrictive from a user's perspective. I was thinking about running apache under render user, and set 755 as their permissions. This way both the .rules folders and their content would be safe, as well as the renders. That way I can also run my script for source deployment via render user and I'd have stronger permissions on that material as well... It does cause some additional problems which I'm still trying to work out, but it's something I'd like to experiment with if possible.

Cheers,
Peter.

Re: Security and permissions

Posted: Thu Mar 09, 2017 5:18 pm
by timurhai

Re: Security and permissions

Posted: Fri Mar 10, 2017 2:11 am
by priel71
Thanks Timur, got it.