It would be best practice to do this. Nate is working on packaging (.deb) and our Anisble setup to accomplish this - getting these permissions exactly correct I think will be a big part of that effort. All of that said - if you were really going to pursue this but just install and use the tool shed normally from the Galaxy webapp it seems kind of a wasted effort. These dependencies would be installed as the Galaxy user and run arbitrary code (from a sort of sys admin perspective). So if I were going to go through this effort I would probably try to setup a separate configuration and user for installing things from the tool shed and disable the main Galaxy instance and user from doing this. That would add considerably to this effort. Anyway - it is a best practice so I don't mean to discourage it - but realistically I don't think many Galaxy deployments have gone through this effort. -John On Mon, Jul 20, 2015 at 1:37 PM, lejeczek <peljasz@yahoo.co.uk> wrote:
hi everybody
I'd like to ask if you think it's worthwhile is pursuing finely grained tree permissions? Would this improve security to leave out everything but only files/folders necessary for writing - to galaxy user what needs to write everything else root? Or just full perms to galaxy user on whole tree is the only way?
many thanks.
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/