Topic: Permissions

I have set the $go_debug = 1 and i have many file permissions errors.

I have read the wiki about some folders that requires 777 permissions like company, modules, etc...
Then the rest is the classic web server permissions, which is files 644 and Folder 755

However, i see that for the js files the owner:group must bet set on nobody:nobody.
Is this right ? it seems also that the file with the inc extension needs to be belong to a certain group ??

Re: Permissions

Making all folders 755 and all files 644 would be okay if the owner:group is set to webserver (apache) user and group.
This way no 777 would be needed for any file or folder. The config.php (during install), installed_extensions.php (in webroot and in company/#/), lang/installed_languages.inc, cache/tmp files will generally get updated from time to time according to settings changed from the Web GUI.

Re: Permissions

Tx, i did the following, but when i try to remove a extension (for example: report generator). I get the following error: Cannot open the extension setup file '../installed_extensions.php' for writing.
Yet, the permissions on that file is as follows : # ls -la
-rwxr--r--  1 ApacheUser ApacheUser  7294 Aug 14 22:38 installed_extensions.php*

Is this correct ?
Tx

4 (edited by apmuthu 09/13/2013 08:15:46 pm)

Re: Permissions

Please check that there are 2 files called installed_extensions.php - one in the webroot and another in the company/#/ folder.

Also check who the apache user is and what apache group it belongs to.

What Server OS are you using and is it virtualised and if so what host is it on and is it on a shared kernel (OpenVZ, etc)?

Re: Permissions

Hi apmuthu,
Yes, installed_extensions.php is present in the webroot as well in each company folder.
After test and trials, i managed to delete some modules with the following permissions:
Web root installed_extensions.php / permissions : 777 / User: Apache User / Group : Apache User
Company folder installed_extensions.php / permissions : 666 / User: Apache User / Group : Apache User

Is this correct practise ?

Tx

Re: Permissions

644 is sufficient for both if the user:group is webserver user (Apache).

Re: Permissions

I'm trying to reconcile the advice I see on here with what I see recommended on this site:
https://serverfault.com/questions/345833/what-are-perfect-unix-permissions-for-usual-web-project-directories

The advice at the link above states that "the user is the linux system user that the process runs under. The code of your website is run as only one user - it may be the user of your webserver (which isn't really a good thing), or it may be a user specific to your site (which is much better)."

It goes on to say, "A good setup will have your server run as one user (let's call this user 'webserver') and your dynamic scripting language run (e.g. via FastCGI) as its own user (one user per site - let's call our first user 'site1')."

'site1' would be the name for the first site established with corresponding names for each successive site (site2, site3,...).

This is recommended to properly control access, with the webserver (e.g. Apache2 as 'www-data') grouped with site1 to provide the necessary access. This logic makes sense to me but appears to be in conflict with your recommendations. Is there a straightforward reason why the webserver should be made owner instead?