Fix drupal permissions - Githubissues

dergachev / vagrant_drupal

Deploy a local Drupal development stack with Vagrant.

9 stars 2 forks source link

Fix drupal permissions #5

Open dergachev opened 11 years ago

dergachev commented 11 years ago

@pixelite tried using this cookbook after creating a "suzanne" user, and then "drush dl webform" fails complaining about file permissions in sites/all; and then "drush en -y webform" also complains about permissions in sites/default.

At the moment I have an attribute APACHE_USER and APACHE_GROUP (defaults to www-data:www-data) that with default ownership 640-ish) causes problems.

Resources: http://drupal.org/node/244924

dergachev commented 11 years ago

According to http://drupal.org/node/244924, the secure strategy is to have the following ownership:

chown -R vagrant:www-data .
find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
find . -type f -exec chmod u=rw,g=r,o= '{}' \;
find sites/default/files -type d -exec chmod ug=rwx,o= '{}' \;
find sites/default/files -type f -exec chmod ug=rw,o= '{}' \;

dergachev commented 11 years ago

Rewriting the above to make it more obvious:

chown -R vagrant:www-data .
chmod -R 640 .
chmod -R 660 sites/default/files
find . -type d -exec chmod ug+x '{}' \;

I also would recommend letting other users also browse directories:

find . -type d -exec chmod o+rx '{}' \;

dergachev commented 11 years ago

On reflection, there are 3 problems with this approach:

www-data:www-data ownership of uploaded files
if you have several users, you're screwed
cant install modules via web ui without FTP (a good thing?)

The first requires having "fix-perms.sh" script that the developer can run all the time.

Perhaps can be avoided if user is part of www-data.

The second is really a problem, but perhaps not in the vagrant use case. But would be for chef in general.

The third is not a big deal.

dergachev commented 11 years ago

For now, going with the approach above, and living with the problems.

pixelite commented 11 years ago

For my future notes, to add the suzanne user to the vagrant group, run this:

usermod -a -G vagrant suzanne

Here's what I did to make it work for me:

cd /var/shared/sites/mysite
sudo chown -R www-data:vagrant .
sudo chmod -R 660 .
# ensure directories are executable, for 'cd' to work
sudo find . -type d -exec chmod ug+x '{}' \;
# optionally, allow other users to read/exec directories too
sudo find . -type d -exec chmod o+rx '{}' \;

What this does is ensures www-data owns all the files, and vagrant is the group. Having added suzanne to the group vagrant I then set permissions to allow both the owner and the group read/write everything. Then I make sure all directories are executable and readable by everyone.

This has the security flaw that www-data can write to outside sites/default/files, but it works for now.