Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Adam R. <ad...@ex...> - 2012-02-08 14:38:00
|
Yes Joe you will need both r and x flags. r so the xquery processor can
read the file and x so that exist can execute it.
On Feb 8, 2012 2:45 AM, "Joe Wicentowski" <jo...@gm...> wrote:
> Hi Adam,
>
> In adapting my applications to the new security architecture, I wanted
> to report my experience and a problem I had.
>
> The immediate problem was that my .xq files, called via the browser,
> were not executing for guest users, even though I thought I understood
> your advice below and set the .xq file's permissions for world to --x.
> The error as reported in the browser said, "Not Allowed To Read
> Collection". I was a bit confused by this since the parent
> collection's permissions allowed reads. No other information appeared
> in exist.log or any other logs, so my troubleshooting led me to
> examine permissions on an expath repo package (demo.xar) I installed
> via the admin page. I saw its permissions on .xq files for world was
> r-x.
>
> In hindsight I realize I was reading your advice below too literally.
> It makes sense that to "execute" a .xq via web browser, we need to not
> only make it "executable" but also "readable".
>
> The new documentation at http://localhost:8080/exist/security.xml is
> very full, but I didn't see anything in the tables in the "Operational
> Permissions" section to the effect that "r-x" is required to "execute
> a .xq file in the browser". "Execute a .xq" probably isn't the right
> terminology ("view" a .xq? "call" a .xq?), but I hope it's clear.
>
> Apologies if this is covered in basic unix permissions model, and
> apologies for my ignorance!
>
> Cheers,
> Joe
>
>
> > 3) The 'u' update flag has been removed. Update really always meant
> > the same as Write anyway, so the Write flag covers all writes to
> > Resources now. The execute 'x' flag replaces that. Execute controls
> > the ability to a) Enter a Collection (just like a folder in Unix) and
> > b) to execute an XQuery script (just like shell scripts and bin's in
> > Unix).
> >
> > 4) Default permissions now follow the Unix model of 755 for
> > Collections i.e. rwxr-xr-x (including /db) and 644 for Resources i.e.
> > rw-r--r--
> > There is the facility in place for a umask, I will begin to expose
> > that along with setUID and setGID options in the near future.
> > NOTE - this means that XQuery scripts are no longer executable by
> > default (from a security perspective, thats important!). You will need
> > to set the 'x' flag on your XQuery scripts appropriately, so you can
> > now control execution by Owner/Group/World/ACL.
>
|
