From: Joe W. <jo...@gm...> - 2012-02-08 02:46:05
|
Hi Adam, In adapting my applications to the new security architecture, I wanted to report my experience and a problem I had. The immediate problem was that my .xq files, called via the browser, were not executing for guest users, even though I thought I understood your advice below and set the .xq file's permissions for world to --x. The error as reported in the browser said, "Not Allowed To Read Collection". I was a bit confused by this since the parent collection's permissions allowed reads. No other information appeared in exist.log or any other logs, so my troubleshooting led me to examine permissions on an expath repo package (demo.xar) I installed via the admin page. I saw its permissions on .xq files for world was r-x. In hindsight I realize I was reading your advice below too literally. It makes sense that to "execute" a .xq via web browser, we need to not only make it "executable" but also "readable". The new documentation at http://localhost:8080/exist/security.xml is very full, but I didn't see anything in the tables in the "Operational Permissions" section to the effect that "r-x" is required to "execute a .xq file in the browser". "Execute a .xq" probably isn't the right terminology ("view" a .xq? "call" a .xq?), but I hope it's clear. Apologies if this is covered in basic unix permissions model, and apologies for my ignorance! Cheers, Joe > 3) The 'u' update flag has been removed. Update really always meant > the same as Write anyway, so the Write flag covers all writes to > Resources now. The execute 'x' flag replaces that. Execute controls > the ability to a) Enter a Collection (just like a folder in Unix) and > b) to execute an XQuery script (just like shell scripts and bin's in > Unix). > > 4) Default permissions now follow the Unix model of 755 for > Collections i.e. rwxr-xr-x (including /db) and 644 for Resources i.e. > rw-r--r-- > There is the facility in place for a umask, I will begin to expose > that along with setUID and setGID options in the near future. > NOTE - this means that XQuery scripts are no longer executable by > default (from a security perspective, thats important!). You will need > to set the 'x' flag on your XQuery scripts appropriately, so you can > now control execution by Owner/Group/World/ACL. |