|
|
|
Apps have code that is deployed in a directory on the filesystem. An app specific supplemental group is used to protect access to this directory.
|
|
|
|
|
|
|
|
For example, with the FanSim, we use the supplemental group `atsfan`. If the app deployment directory is `fansim`, these are the commands to protect the app, run as the account that owns the files:
|
|
|
|
|
|
|
|
```
|
|
|
|
chown -R $USER.atsfan fansim/
|
|
|
|
chmod -R g+s fansim/
|
|
|
|
setfacl -R -m u::rwX,g::rX,o::---,d:o:--- fansim/
|
|
|
|
|
|
|
|
# for any Perl scripts, remove the s bit
|
|
|
|
chmod g-s *pl
|
|
|
|
```
|
|
|
|
|
|
|
|
This ensures that the files underneath `fansim` are readable and executable only by users who are in the `atsfan` group. A script to run these commands is here: `/nfs/04/ndem0009/bin/protectapp` |
|
|
\ No newline at end of file |
