Linux: 'transferring'/mirroring read-only permissions for symlinks (for webserver)

Please let me explain what I mean by the question:

This is the context: I'm a user on a webserver, where I have phpicalendar installed; then, I choose a directory, say /webroot/mylogin/phpicalendar/mycals to host my .ics calendar text files.

EDIT: Previously, instead of '/webroot', I had used '/root' - but I really didn't mean the Linux '/root' directory - I'm just wanted to use it as a stand in for the real location on the webserver (so it serves just as a common point of reference). Otherwise, what I mean by common point of reference, is simply /webroot = /media/some/path ..

Then, I can enter this directory in the phpicalendar's config.inc.php:

$configs = array(
 'calendar_path'        => '/webroot/mylogin/phpicalendar/mycals;
 ...

Then, phpicalendar will run through this directory, grab the .ics files there (say, mycal.ics and mycal2.ics) and render them - so far, so good.

The thing is, I would now like to add a second calendar directory, located at the same webserver, but where I have read-only permissions, say /webroot/protected/cals. I know that I have read permissions, because I can do in the shell, say

$ less /webroot/protected/cals/maincal.ics

and I can read the contents fine.. So now:

• If I enter /webroot/protected/cals as a 'calendar_path', phpicalendar can read and render the files there (say, 'maincal.ics', 'maincal2.ics') without a problem
• However, phpicalendar can have only one 'calendar_path', so I can either use the protected calendars, or my customized calendars - but not both
• So, I thought, I could symlink the protected calendars in my customized directory - and get the best of both worlds :)

So, here is a shell snippet of what I would do

$ cd /webroot/mylogin/phpicalendar/mycals
$ ls -la 
drwxrwxrwx  2 myself myself 4096 2011-03-03 12:50 .
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal.ics
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal2.ics
...

$ ln /webroot/protected/cals/maincal.ics .    # try a hard link first
ln: creating hard link `./maincal.ics' => `/webroot/protected/cals/maincal.ics': Invalid cross-device link'

$ ln -s /webroot/protected/cals/maincal.ics .                  # symlink - works
$ ln -s ../../../prot开发者_如何学Goected/cals/maincal.ics relmaincal.ics  # symlink via relative
$ ln -s mycal.ics testcal.ics                               # try a symlink to a local file

$ ls -la                                                    # check contents of dir now
drwxrwxrwx  2 myself myself 4096  .
-rw-r--r--  1 myself myself 1234  mycal.ics
-rw-r--r--  1 myself myself 1234  mycal2.ics
lrwxrwxrwx  1 myself myself   21  testcal.ics -> mycal.ics
lrwxrwxrwx  1 myself myself   56  maincal.ics -> /webroot/protected/cals/maincal.ics
lrwxrwxrwx  1 myself myself   66  relmaincal.ics -> ../../../protected/cals/maincal.ics

Ok, so here's what happens:

• less maincal.ics works on shell
• less relmaincal.ics fails with 'relmaincal.ics: No such file or directory' (even if shell autocompletion for the relative path did work during the execution of the symlink command!)
• When you open phpicalendar now, it will render mycal.ics, mycal2.ics and testcal.ics (and they will work)
  • however, maincal.ics and relmaincal.ics will not be parsed or displayed

Now - this could be that PHP cannot resolve symlinks; however I speculate that the situation is this:

• When I do less maincal.ics - it is myself who is user, who has read permission for /webroot/protected/cals
• phpicalendar (so Apache webserver user) can otherwise also access /webroot/protected/cals as read-only, when given 'hardcoded' path
• phpicalendar is also capable of reading local symlinks fine

Thus, I suspect, that the problem is: when trying to read the symlinks to protected cals, the user that is visible to the shell during that operation is Apache web user, which then doesn't get permissions to access a symlink to the protected/cals location!

The thing now is - I can easily copy the .ics files locally; however they are being changed by someone else, which is why I'd have preferred a symlink.

And my question is: can I do some sort of trickery, so that when phpicalendar/Apache tries to access a symlink to protected/cals, it 'thinks' that it is a local file - and otherwise, the contents of the protected/cals file are being 'piped' back to phpicalendar/Apache?? I guess I'm thinking something in terms of:

$ mkfifo mypipe
$ ln -s mypipe testpipe.ics
$ cat ./testpipe.ics                                 # in one terminal
$ cat /webroot/protected/cals/maincal.ics > mypipe      # in other terminal

... which would otherwise (I think) handle the permissions problem - except that, I don't want to cat manually; that would be something that would have to be done in the background, each time an application requests to read testpipe.ics:)

Well, thanks in advance for any comments on this - looking forward to hearing some,

Cheers!

Umm, I really doubt that the account the web server runs under can read anything under /root. That directory is usually mode 0700, user root, group root, or something very similar to that - meaning no non-root access is allowed. If you're running the web server as root, file read permissions are the least of your problems...

Your best bet then would be to place the read-only calendar files somewhere publicly available, and symlink to that location from wherever under /root you want to be able to access them.

Start by checking whether the Apache user can view your calendars:

you@host $ sudo -i -u <apache-user> -s /bin/bash
apache@host $ less /root/protected/cals/maincal.ics