setuid confusion

der.hans PLUGd at
Sat Nov 3 04:20:36 MST 2007

Am 01. Nov, 2007 schwätzte alex at so:

> Here's what I've set up:
>  - /www/dev and /www/live are both working copies of the same SVN repository.
>  - /www/dev is owned by me, and a group called wwwdev.  The directory
> and all files in it are group-writeable, so anyone in the wwwdev group
> can make changes and commit them.
>  - /www/live is owned by a user wwwlive (also group wwwlive).  No one
> else is in this group, only this user.  Thus no other users can edit
> the files in this directory directly.
>  - I've written a very simple C program that runs an 'svn update'
> command for the /www/live directory.  The binary version, called
> 'live_svn_update' is owned by wwwlive, and is setuid and setgid.
> (chmod ug+s).  So, anyone can run this program to bring the /www/live
> tree up to the latest of what's in the repository (checked in from
> /www/dev), even though they can't edit anything in /www/live directly.

How about using sudo rather than a setuid program?

That also allows you to maintain a group of people who have access to do
the updates that is a subset of those who have access to the machine.

Also, since you seem to have put both in the same filesystem, have you
made sure the dev area can't run you out of space?


#  "I have seen the enemy, and it is shiny." -- Benjy Feen, 22Jun2001

More information about the PLUG-discuss mailing list