I have a directory where a bunch of web developers need to work in/upload files to. All the developers need read/write to this directory, which is setup using POSIX ACLs.
When a developer creates a new file, the permissions are set to 660 (using ACL mask), and the user file is owned by the developer, group is apache, and then group ACLs for the appropriate developer groups (rw).
Unfortunately, none of the developers understand what ACLs are, but they think they're clever and start chmodding files to 440 to prevent the apache user from writing to them (since when they write to the directory they own the file), but then it locks out all the other developers from those editing files, since "chmod 440" sets the ACL mask to r--. When I provision the site, I have the permissions set correctly so they don't have to do this (the apache user won't have write permissions to those files, the devs don't have to chown them). They do an "ls -l" and see
-rw-rw----+ 1 fuckeduser apache 22348 Nov 11 20:22 myfile.php and think they need to do something to fix it so apache can't write to the file because they don't understand how permissions work.
I've sent out emails multiple times and asked the offending developers to stop doing this directly, but that has failed.
I thought about creating a wrapper bash script for chown to stop them from using that command in the shared directory, and sticking an alias in their bashrc, since they're really not clever enough to understand bash aliases, and the ones that do, I'm not too concerned about that. This is ugly, and I'm not sure I like it, and not sure what happens if they use chown in their SFTP client, if it uses the system chown or if it will use the aliased chown, and I don't have a good way to test this, since they all use different clients.
Is there a better way to handle this, or am on the right track?
[link][25 comments]