Open dergachev opened 11 years ago
According to http://drupal.org/node/244924, the secure strategy is to have the following ownership:
chown -R vagrant:www-data .
find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
find . -type f -exec chmod u=rw,g=r,o= '{}' \;
find sites/default/files -type d -exec chmod ug=rwx,o= '{}' \;
find sites/default/files -type f -exec chmod ug=rw,o= '{}' \;
Rewriting the above to make it more obvious:
chown -R vagrant:www-data .
chmod -R 640 .
chmod -R 660 sites/default/files
find . -type d -exec chmod ug+x '{}' \;
I also would recommend letting other users also browse directories:
find . -type d -exec chmod o+rx '{}' \;
On reflection, there are 3 problems with this approach:
The first requires having "fix-perms.sh" script that the developer can run all the time.
Perhaps can be avoided if user is part of www-data.
The second is really a problem, but perhaps not in the vagrant use case. But would be for chef in general.
The third is not a big deal.
For now, going with the approach above, and living with the problems.
For my future notes, to add the suzanne
user to the vagrant
group, run this:
usermod -a -G vagrant suzanne
Here's what I did to make it work for me:
cd /var/shared/sites/mysite
sudo chown -R www-data:vagrant .
sudo chmod -R 660 .
# ensure directories are executable, for 'cd' to work
sudo find . -type d -exec chmod ug+x '{}' \;
# optionally, allow other users to read/exec directories too
sudo find . -type d -exec chmod o+rx '{}' \;
What this does is ensures www-data
owns all the files, and vagrant
is the group.
Having added suzanne
to the group vagrant
I then set permissions to allow both the owner and the group read/write everything. Then I make sure all directories are executable and readable by everyone.
This has the security flaw that www-data can write to outside sites/default/files, but it works for now.
@pixelite tried using this cookbook after creating a "suzanne" user, and then "drush dl webform" fails complaining about file permissions in
sites/all
; and then "drush en -y webform" also complains about permissions insites/default
.At the moment I have an attribute APACHE_USER and APACHE_GROUP (defaults to www-data:www-data) that with default ownership 640-ish) causes problems.
Resources: http://drupal.org/node/244924