at our company we're using Docker and most of the developers used Ubuntu. I now switched to Fedora and set everything up except for the access rights through ACL.
In Ubuntu we did a simple setfacl -R -m g:www-data:rwX -m u:$USER:rwX {folderList}, however in Fedora26 the group www-data does not exist.
Welp, I could simply create the group but this doesn't fix the problem I guess, because it somehow still needs to be "connected" to docker, right?
The problem I'm having is, that the Symfony application can't write into the cache folders because It doesn't have rights. This is what we use setfacl for, but I have no idea how to fix this in Fedora.
I solved this by connecting into my docker machine, making an cat /etc/passwd | grep www-data and saw, that the id of this user/group is 33 (the same, the php-fpm child process pools are created) and then simply used
setfacl -R -m g:www-data:rwX -m u:$USER:rwX {folderList}
Related
I have this deployments architecture that deploy scalable WordPress using Amazon ECS containers. These are based from official WordPress image; The containers also mount an Amazon EFS file system on /var/www/html/wp-content mainly to host plugins and themes. The reason is because some plugins write files inside the wp-content directories, and I'd like the containers to have access to that files.
There is also bastion EC2 instance host so that I can access the EFS directory to make modifications and sync to locally.
The problem is I couldn't write the EFS directory without sudo-ing as www-data.
$ssh -i private_key.pem ubuntu#$BASTION_HOST
$touch /var/www/html/wp-content/test.txt
touch: cannot touch '/var/www/html/wp-content/test.txt': Permission denied
$sudo -u www-data bash # Access bash as www-data user
$touch /var/www/html/wp-content/test.txt
$ls -al /var/www/html/wp-content/test.txt
-rw-rw-r-- 1 www-data www-data 0 Aug 12 01:08 /var/www/html/wp-content/test.txt
What I want to achieve is that I want to do rsync the plugin in my local development both to and from the wp-content directory.
I tried the command below
rsync -av -e "ssh -i private_key.pem" content/plugins ubuntu#$BASTION_HOST/var/www/html/wp-content
but it failed.
I also tried as www-data, just for sure.
rsync -av -e "ssh -i private_key.pem" content/plugins www-data#$BASTION_HOST:/var/www/html/wp-content
I tried rsync to other directory, though, and it works.
rsync -av -e "ssh -i private_key.pem" content/plugins www-data#$BASTION_HOST:/home/ubuntu/sync
I wanted to change the permission of the /var/www/html/wp-content in the bastion to ubuntu, but the last time I did it, the WordPress containers couldn't write to the NFS directory; so the safest way is to keep the permission intact.
What did I miss?
Update 1
I tried adding ubuntu user into www-data in the bastion server.
$ sudo usermod -aG www-data ubuntu
$ cat /etc/group | grep www-data
www-data:x:33:ubuntu
$ touch /var/www/html/wp-content/test.txt
touch: cannot touch '/var/www/html/wp-content/test.txt': Permission denied
Still doesn't work.
Great problem description.
Clearly there's a permissions issue, so I'll suggest the first thing to look at and assume you don't already have that covered.
Is the default ubuntu user a member of the www-data group?
Being a member of that group could give the required privilege levels.
To add the ubuntu user to the www-data group, allowing it/you to write to the mounted web directories while ssh'ed into the Bastion server:
sudo usermod -aG www-data ubuntu
To remove a user from a group:
sudo gpasswd -d ${USER} www-data
You'll have to test whether the ssh server on the bastion host will allow you to, say rsync files into the mounted web directories from your local development host. That might be a configuration issue in the bastions /etc/ssh/sshd_config file.. not sure, haven't tried, but one to look at next if necessary. Good luck.
I tried to dir.create on a path that I need sudo access to create directories. But I can't seem to do it from Rstudio server instance of Rstudio that I access from the browser, even though I started the Rstudio server using sudo rstudio-server start.
Is there a way to give my Rstudio instance sudo powers?
When you use the RStudio Server web client, it executes local scripts as the "rstudio-server" user on your Linux machine (run cut -d: -f1 /etc/passwd to list local users and it will appear there). You need to ensure that the rstudio-server user and the user you log onto the client with has rwx permissions across the directories you want to make changes in from RStudio.
sudo setfacl -m u:rstudio-server:rwx /path/
sudo setfacl -m u:localuser:rwx /path/
I am setting up a new server and installed Ubuntu 18.04 in combination with Apache2. My project is stored in /var/www/project. In apache2.conf I added
<Directory /var/www/project/>
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
In my virtualhosts file I point to /var/www/project/public
When I go to the Ip address of my server I see my project and everything works, except one thing:
whenever I clear the cache with php bin/console cache:clear the permissions of my directory var are messed up which results in errors in the production environment.
I can fix this with:
chmod -R 777 var/
But the problem returns wheneven I clear the cache again. I tried with different users including root, but always the same problem. I do not understand what is causing this. In the documentation on file permissions it says:
In Symfony 3.x, you needed to do some extra work to make sure that your cache directory was writable. But that is no longer true! In Symfony 4, everything works automatically
Well not for me, but what could cause the problem?
The problem
The cache directory is owned by the user executing the cache:clear command.
Lets say your project files are owned by www-data.
Clearing the cache with root user
Cache is owned by root
www-data can't write in cache directory
Solution
execute cache:clear using the user owning the files.
Login as www-data: su www-data -s /bin/bash
clear the cache ./bin/console cache:clear
Depending on your settings, your www-data user may be different
The solution that worked for me (using Symfony 3.x and Ubuntu 18.04) is the one explained in the official site, here:
https://symfony.com/doc/3.4/setup/file_permissions.html#using-acl-on-a-system-that-supports-setfacl-linux-bsd
Maybe that solution work also with Symfony 4?
Extract:
3. Using ACL on a System that Supports setfacl (Linux/BSD)
Most Linux and BSD distributions don't support chmod +a, but do
support another utility called setfacl. You may need to install
setfacl and enable ACL support on your disk partition before using it.
Then, use the following script to determine your web server user and
grant the needed permissions:
HTTPDUSER=$(ps axo user,comm | grep -E
'[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1
| cut -d\ -f1)
sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var
sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var
Note:
The first setfacl command sets permissions for future files and
folders, while the second one sets permissions on the existing files
and folders. Both of these commands assign permissions for the system
user and the Apache user.
setfacl isn't available on NFS mount points. However, storing cache
and logs over NFS is strongly discouraged for performance reasons.
Personal hint:
sudo apt-get install setfacl may says "unable to find setfacl".
If so:
check if setfacl is present: setfacl -h
setfacl is part of the acl package, so install acl if missed
It took me quite a while to solve the problem in Symfony 4.4 that only was present in PROD but not in DEV. I still don't know what difference between PROD and DEV caused it, however. At least it's working now.
If ACL is present, the first solution in https://symfony.com/doc/4.4/setup/file_permissions.html#permissions-required-by-symfony-applications should work. I just manually set the HTTPDUSER since the given code returned the wrong one. Else, setting the permissions after every single cache:clear should do the job, too:
sudo chown -R "$local_user":"$webserver_group" "$app_dir/var/"
sudo chmod -R 0777 "$app_dir/var/"
Maybe you have to manually delete old files in var/ bevore first by rm -rf var/*
I'm trying to run CakePHP 2 app inside of a container. I have everything setup and PHP works properly but have one problem: /var/www/app/tmp has incorrect write permissions. This directory is loaded from volume
Did you already take a look at the CakePHP2.0 docs? Maybe this is usefull:
One common issue is that the app/tmp directories and subdirectories must be writable both by the web server and the command line user. On a UNIX system, if your web server user is different from your command line user, you can run the following commands just once in your project to ensure that permissions will be setup properly:
HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
setfacl -R -m u:${HTTPDUSER}:rwx app/tmp
setfacl -R -d -m u:${HTTPDUSER}:rwx app/tmp
Source: https://book.cakephp.org/2.0/en/installation.html#permissions
This happens a lot if you're running PHP via a container passthrough. In this scenario, you are passing a directory through to the application with pre-defined permissions. What you'll need to do is periodically make sure permissions are being updated to the webserver from the container. Let's say your container is called web
docker exec web chown -R www-data /var/www/html
(/var/www/html being replaced with wherever your code resides)
For Example. This will make it work perfectly fine in the container, but may actually cause issues accessing the data from the host OS if you're using Linux. I had this issue several times with Laravel and PHP using a volume passthrough from the host, since the volume's files themselves are updated to a userID the host OS doesn't have.
I am using Symfony 2.0.12 in a Mac Os X Lion (10.7.4).
For some reason, every time I clear cache (php app/console cache:clear), the permissions of cache/* folder are lost.
The result is that I try to enter my application and it start to give me a bounch of errors like "unable to write in app/cache/dev/XXX folder".
So there starts a "fight" against the machine. No sooner I give permissions for that folder, quickly I get an error message for the next YYY folder. And that happens during about 8 or 9 folders until it's me the winner and everything apparently starts to works normally again.
Did anyone pass through this? How can I manage to conserve the permissions when clearing the cache?
in the documentation there are some alternative commands on how to set up the permissions. but i dunno if they work for mac. Check the Setting up Permissions box.
http://symfony.com/doc/current/book/installation.html
on my ubuntu system the following commands made the permissions permanent
sudo setfacl -R -m u:www-data:rwx -m u:`whoami`:rwx app/cache app/logs
sudo setfacl -dR -m u:www-data:rwx -m u:`whoami`:rwx app/cache app/logs
making the webserver run as your user is not a good idea in my opinion because the webserver should not have access to your personal files and so on...
If you're running the commands as a different user than the php process that create the cache files then this will happen. You'll either have to run the commands as the web server user, make the web server run as your user, or chown/chmod the app/cache app/logs directories after you run commands.