Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Content Store filesystem Permissions

high
Champ in-the-making
Champ in-the-making

‎11-20-2010 11:39 AM

I am concerned about the default world-readable filesytstem permissions on the contentstore.  I have searched the forums and find nothing on this issue.

I have installed Alfresco Community 3.3g.  It is my first experience with Alfresco.  I installed a few weeks ago on Redhat 5 (latest version with updates applied) x86_64 using the Alfresco Wiki (instructions for Centos) as a guide.  Alfresco is running fine.

My concern is that the contentstore has filesystem permissions set to 755 (directories) and 644 (files).

Since tomcat is the owner, and tomcat is what accesses the files, why are the permissions so open (world readable)?  This means that if anyone can get a local shell of any non-priveleged user, they can read (copy) the entire collection of documents from the contentstore.  Are they set like this so that  some other component can access the contentstore when running as a different user?

While I am impressed with Alfresco thus far, this permissions issue may be the deal-killer for me, as I am responsible for keeping the files secure and world-readable permissions on important documents are not acceptable.  This goes against all of my experience as an administrator.  So, I assume I must have missed a step or done something wrong.

When I try to fix permissions with something like:

cd /var/lib/alfresco/alf_data/
chmod -R go-rwx

That breaks Alfresco (datastore integrity checks fail).

How should I tighten the permissions on the datastore without breaking Alfresco?  Was there something I should have done when installing to prevent this problem?

Thanks!

–Brian
Labels:
0 Kudos
3 REPLIES 3

mrogers
Star Contributor
Star Contributor

‎11-20-2010 12:07 PM

You should be able to set the permissions such that only the account that runs alfresco and your backup software has access to the content store.

However make sure you don't touch the lucene indexes while Alfresco is running.
0 Kudos

high
Champ in-the-making
Champ in-the-making

‎11-20-2010 12:31 PM

mrogers,

Thank you for the prompt reply.

I tried as you suggested and, indeed, by stopping tomcat before changing the permissions, then restarting tomcat, I was able to get alfreso to run properly after resetting permissions with:

cd /var/lib/alfresco/alf_data/contentstore
chmod -R go-rwx *

Howewer, when I uploaded a file through alfresco so that the file would make its way into the contentstore, I checked permissions again and that new file had the same open permissions as before:

cd /var/lib/alfresco/alf_data/contentstore
find . -type f -not -perm u=rw,g=,o= -exec ls -ld "{}" \;
-rw-r–r– 1 tomcat tomcat 1150 Nov 20 09:21 ./contentstore/2010/11/20/9/21/199dbb03-bda8-40d7-87a3-e148c5f1bde4.bin

So, I suppose the only way to address this going forward is with a cron job (shutdown tomcat, reset permissions, startup tomcat)  or is there a more elegant alfresco way to do it, say with a (tomcat or lucene?) configuration parameter?

–Brian
0 Kudos

high
Champ in-the-making
Champ in-the-making

‎11-20-2010 12:51 PM

I found that I must set the umask for tomcat in it's startup script:

I put this:  umask 066

near the top of :  /usr/sbin/tomcat6

And restarted tomcat.  This fixed the problem.  I will have to remember to do this with each upgrade of tomcat.  I do not see any configuration parameter in tomcat's configuration file for this.

References:
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg120526.html
http://serverfault.com/questions/152936/how-to-set-default-umask-for-tomcat-webdav-servlet
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC