Permissions check for all backdropcms.org properties.

[jenlampton]

It is theoretically possible that a file could be created within home/repo/config/live-active that has the owner and group of the shell user, making the file no longer web-writable, which can cause failures on the production site. However, this should never happen, as all config files should either be created by install or update actions (by the web server) or be added first into home/repo/config/staging and then a config-sync will write them to home/repo/config/live-active (also done by the web server). If w do ever encounter this problem, we should investigate how it happened and see if we can prevent that :)

Shell user information:

• Each site has its own shell user.
• The web server operates as www-data.
• The shell user should be a member of the www-data group.

Our permissions should be set up as follows:

The parent directories should not be web writable, so both owner and group should be only the shell user. Within those directories, we have three locations that need to be writable by the web server, so these need to have the group www-data instead of the shell user. (Owner should still be the shell user.)

• The public files directory. (inside web root)
• The civicrm files directory (usually inside files directory)
• The private files directory. (outside web root)
• The config directory. (outside web root)

Notes:

• If a site has the project browser installed (none of ours do) then the modules, themes, and layouts directories would also need to be web-writable (this does not apply to backdropcms.org properties - noting here for public reference).
• If a site has the self-update feature enabled (none of ours do) then the core directory would also need to be web-writable (this does not apply to backdropcms.org properties - noting here for public reference).
• if the git repository directory is not owned by the shell user, we will have problems using Git.

Review all sites to confirm they are set up properly:

• [x] Review backdropcms.org file permissions
• [x] Review docs.backdropcms.org file permissions
• [x] Review forum.backdropcms.org file permissions
• [x] Review events.backdropcms.org file permissions
• [x] Review localize.backdropcms.org file permissions

[larsdesigns]

Would this be the correct documentation for configuring the permissions? https://docs.backdropcms.org/documentation/file-permissions-and-ownership

[larsdesigns]

@jenlampton, Perhaps we should update the documentation at https://docs.backdropcms.org/documentation/file-permissions-and-ownership to include information for the config and private files directory?

[jenlampton]

@larsdesigns there is nothing in those docs about config. So, they are incomplete.

edit; Jynx!

[jenlampton]

The events site was fine, but all the others needed a little adjusting.

[bugfolder]

I'm reopening this because the file permissions on b.org are not correct in their present state. In particular, there are subdirectories of www/files/civicrm/templates_c/... that are not writeable by the www-data user, and that is causing CiviCRM to tantrum (as of 2023-04-25).

One can see examples (at least right now) by running this on the server:

ls -la ~/repo/www/files/civicrm/templates_c/en_US

[jenlampton]

I've updated the permissions on the whole civicrm directory to be writable by the www-data user. Is there a way to test the civi tantrum to see if this change resolves those issues?

[bugfolder]

Yes, hang on...

[bugfolder]

I've been DMing with @cellear, who uncovered the tantrum. He reports it working now!

[cellear]

Looks like it worked:

[jenlampton]

Phew!