tecnica:gps_cartografia_gis:mapscript_hierarchy
MapScript Filesystem Hierarchy and Permissions
Deploying an MapScript application (e.g. pMapper) paying attention to correct ownerships and permissions is not so straightforward as we can expect.
Here are some of the concerns we faced:
- MapScript needs to write temporary map images as the Apache user
- The web application (pMapper) may need to write temporary files too
- .map files can contains credentials to access PostGIS databases, so they should not be world-readable
- Webmaster should not have root privileges
Our solution requires:
- Create a mapfiles group; the Apache user and people writing .map files should belong to this group. Every .map file is readable by this group, but not world readable.
- Create a webmasters group; all the people writing web and php pages should belong to this group only.
- Files created by the Apache user are stored in directory www-data, which is a subfolder of the DocumentRoot. Webmasters do not require write access to this directory, so it is keept outside the web application directory.
- A symbolic link is required to move the legend directory (Apache writable) outside the webmaster writable tree.
- The .map files are keept outside the DocumentRoot for increased privacy, they are not world readable.
Supposed that Apache runs as the www-data
user, our webmaster's name is Walter and that Walter should manage both web pages and map files, we execute:
addgroup webmasters adduser walter webmasters addgroup mapfiles adduser walter mapfiles adduser www-data mapfiles
The following is the schema of the filesystem hierachy with ownership and permissions. Where not declared, ownership and permissions are inherited from the parent folder.
DocumentRoot | |---- pmapper/ | Owner: user.webmasters | Directory: drwxrwsr-x (2775) | File: -rw-rw-r-- (0664) | | | \ images/legend -> ../../www-data/legend | \---- www-data/ Owner: root.www-data Directory: drwxrwsr-x (2775) File: -rw-rw-r-- (0664) | |---- tmp | Temporary map images created by | MapScript and removed by a cronjob | \---- legend Temporary files from pMapper /var/lib/mapscript/ Owner: root.mapfiles Directory: drwxrws--- (2770) | \---- www.dominio.it/ Owner: root.mapfiles Directory: drwxrws--- (2770) Contains .map files | \---- file.map Owner: utente.mapfiles File: -rw-r----- (0640)
tecnica/gps_cartografia_gis/mapscript_hierarchy.txt · Last modified: 2009/07/24 20:48 by niccolo