We have a CMS application that adds files into folders. we would require write rights on that folder for the purpose, but, want to avoid giving 777 rights as the site that the application is content managing is a public site.

Could somebody plz help soon.

Regards,
Suruchi

u could add the users into a group & give write permission for that group.

But still we need more info.

write permission for whom??
for every one??
for just user & group??

u can do any combination of users,group & others

ok got ur mail. I will post here as info for others too.

u want the application to be able to write? U can use the setuid fuction to set the user id of the program or application to match that of the owner of the file.

u can use to check wat is its syntax.

OR

u can set the permission recursively of your folder as such
I m setting the following permissions
user: all permissions
group:read-write permissions(somegroup)
others:read

if the application's gid is set to group "somegroup".then it can write & modify files in "myfoder" & all subfolders.
u can set the group id with setgid function. this is more easier to do than setuid.
or u can set the group for the application like this

hope this helped

will this work if i access the application from a browser. wouldn't the user then become 'nobody' as is the case generally?

may be I m not sure about that but in that case u 'have' to use setuid or setgid function in the application.

that will set the user id & group id to the value u specify,even if the application is running as a nobody

i checked... it doesn't allow the application to setuid or chmod unless 'nobody' is made the owner... which of course we can't do... any other way out... ??

What kind of CMS do you use?
Does it indeed run as the "nobody" user (via the browser)?
What web server are you running? Apache? Tomcat? Combination of both? And under which user are they running/accessing files on your system? Nobody?

Typically, Apache/Tomcat need to be started as root, to allocate port 80 (a privileged port) to listen to HTTP requests. After that, they should switch to a non-privileged user. This can be nobody, but doesn't have to be.
My Tomcat is for instance running under a dedicated user ie user "tomcat" or something like that.
This user can then be added to a group, let's say "www_users".
Furthermore, in this group, you can add one or more users that will "manage" the website.

The folders that the CMS must be able to change as well as any other folders that your web server needs to change (ie folders with logfiles), must be given permission 2770. Other folders are given 2750 or even 2700.
(note the "2" in front for setGID - which is a nice way to force the group ownership of newly created files).
All folders must have one of the management users as owner, not the dedicated webserver user (ie the "tomcat" user). This makes sure that, if anyone abused the site to create some bulshit files on the system, you can always delete them via the management user's account.
Any files created by the webserver user (ie the tomcat user) can have standard file ownership. No setUID tricks needed. Just make sure that the files are group writable (umask 007 or something like that).

Thanks... i tested that and it does help... but now i have another issue... would this work if i host the Site on a different web server and the CMS on a different one. would one web server user be recognized as an authenticated user of another web server? i suppose not...
plz let me know...

User authentication is always based on some kind of database that holds the username-password combinations.
Typical examples are:
-/etc/passwd & shadow files
-MySql databases
-your own made database file, together with some PAM authentication rules
-LDAP or NIS for central user management accross multiple systems.

The only thing you need to make sure is that both web servers use the same user authentication database.

But my first question is, why would you need to run 2 webservers?
And the second one: what kinds of authentication methods are already used on the 2 machines?
And finally, what level of security (ie encryption, certification, etc) do you want for your websites?

i do not have all the specifications of the web server as they belong to our client...

the web servers need to be seperate 'coz they do not want to host multiple sites on one server in fear of a fault that might stop functioning of all sites. so... the sites would be hosted on different machines...

Well, then you'll need to choose a system that doesn't provide such a "single point of failure" behaviour, ie that won't bring down your sites if the system breaks. If I were you, I would try to use LDAP or a central MySql database for authentication, but that's just my opinion. There are many possibilities.
It depends also on how your CMS is going to work, what authentication methods it supports, and alike.
But I have read that PAM modules allow for very flexible user authentication methods, in many ways.
I'm however no expert in these matters.