Security and permissions

Customize rules.
Post Reply
User avatar
priel71
Posts: 63
Joined: Fri Jan 20, 2017 2:10 am
Location: Kuala Lumpur
Contact:

Security and permissions

Post by priel71 »

Hi Timur, would you mind letting us know a little on how you suggest implementing RULES in terms of permissions and security? I noticed that RULES creates 777 files and directories, for instance when asking it to do a walk or make thumbnails (I guess it's actually user render that creates the .rules folder).

I've been experimenting with having RULES run by http user, and then users and render groups with various permission settings. I'd like to get to a point where there is some security in various folders, for instance, the .rules folders were only removable by certain users. Once a project has been running for awhile, they can hold quite vital data which would be bad to loose (comments, briefs etc).

Would be interested in hearing how you deal with this. I'm hesitant adding ACL or another more fine-grained permission layer on the file-system.

Cheers,

Peter.
User avatar
timurhai
Site Admin
Posts: 911
Joined: Sun Jan 15, 2017 8:40 pm
Location: Russia, Korolev
Contact:

Re: Security and permissions

Post by timurhai »

Hi.

GUI (web server and browser) has security and permissions.
But if somebody has some other access to file server
( an artist with a locally mounted project ), there is no security and permissions
from Rules side.
We can remove (or make configurable) umask, to not to create 777 files and folders.
For now we have no deal with it.
Any artist can remove .rules folder from shot, with all comments and so on.
So this folders are hidden and we have not such accidents yet :)

But i understand that this can be an important issue.

You can Apache from a user that will create unaccessible .rules folder, for example.
Timur Hairulin
CGRU 3.3.1, Ubuntu 20.04, 22.04, MS Windows 10 (clients only).
User avatar
priel71
Posts: 63
Joined: Fri Jan 20, 2017 2:10 am
Location: Kuala Lumpur
Contact:

Re: Security and permissions

Post by priel71 »

Haha, yes we do the same here... No accidents so far... But as a paranoid sysadmin I'm always suspecting the worst. Could you maybe let me know where the 0777 settings are for the rules folders and it's contents? I'd like to taka a stab in implementing a decent permission structure here with a few rules that aren't too restrictive from a user's perspective. I was thinking about running apache under render user, and set 755 as their permissions. This way both the .rules folders and their content would be safe, as well as the renders. That way I can also run my script for source deployment via render user and I'd have stronger permissions on that material as well... It does cause some additional problems which I'm still trying to work out, but it's something I'd like to experiment with if possible.

Cheers,
Peter.
User avatar
timurhai
Site Admin
Posts: 911
Joined: Sun Jan 15, 2017 8:40 pm
Location: Russia, Korolev
Contact:

Re: Security and permissions

Post by timurhai »

Timur Hairulin
CGRU 3.3.1, Ubuntu 20.04, 22.04, MS Windows 10 (clients only).
User avatar
priel71
Posts: 63
Joined: Fri Jan 20, 2017 2:10 am
Location: Kuala Lumpur
Contact:

Re: Security and permissions

Post by priel71 »

Thanks Timur, got it.
Post Reply