0

Originally asked on Drupal Stack Exchange but opening up since it may be a general Linux/Apache issue.

Need the internet to confirm my sanity. On a Drupal 7 site it's saying "The directory sites/default/files is not writable." So I checked every permission but I don't see the issue. Since this isn't a public server, I temporarily turned off SELinux. LAMP stack, CentOS 7.6, Apache 2.4.38 from @CodeIT, PHP 7.2.16. User 'apache' is in the groups 'apache web'. What am I missing?

getenforce output:

Permissive

ps aux | grep httpd output:

root     29064  0.0  0.1 262224  6492 ?        Ss   18:26   0:00 /usr/sbin/httpd -DFOREGROUND
apache   29065  0.0  0.0 261884  3672 ?        S    18:26   0:00 /usr/sbin/httpd -DFOREGROUND
apache   29066  0.0  0.2 1188648 10040 ?       Sl   18:26   0:00 /usr/sbin/httpd -DFOREGROUND
apache   29067  0.0  0.2 1778408 8000 ?        Sl   18:26   0:00 /usr/sbin/httpd -DFOREGROUND

/sites/default/files is a symlink and the permission should be ignored

lrwxrwxrwx 1 root   root    31 Mar 18 18:14 files -> /mnt/efs/website/publicfiles/

So let's go down the tree

drwxr-xr-x 12 root root 6144 Feb 17 23:27 efs

drwxr-xr-x 4 root root 6144 Feb 17 23:28 website

drwxrwxr-x 110 apache web 141312 Mar 18 18:16 publicfiles

FollowSymLinks also appears to be turned on in several places. /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
</Directory>

<VirtualHost *:80>
... server info ...
<Directory "/var/www/html/website/public_html">
AllowOverride All
Require all granted
Options -Indexes +FollowSymLinks
</Directory>
</VirtualHost>

.htaccess:

# Follow symbolic links in this directory.
Options +FollowSymLinks

UPDATE 03-19-19: This still isn't solved and is driving me crazy. As specified above the /mnt/efs/website/publicfiles dir was 775 owned by apache:web, where apache is a member of the group web. That wasn't working. Setting publicfiles to 777 of course works, so it isn't an SELinux issue.

If ps aux is telling the user apache is running my server how does it not have access to it's own group?

Aaron Chamberlain
  • 381
  • 1
  • 3
  • 13
  • `The directory sites/default/files is not writable.` -> Which groups is your apache user in? If `publicfiles` is 775, with owners `root:web`, be user that your apache user is in the web group. `sudo usermod -aG web apache` – Matt Clark Mar 18 '19 at 21:50
  • @MattClark Wouldn't user 'apache' which is running httpd already have access to the folder since it's the owner? User 'apache' is only in the apache group. We assign web as group so that non-privileged scripts can pull using git, etc. – Aaron Chamberlain Mar 18 '19 at 22:05
  • @MattClark Actually user 'apache' is in the 'web' group on another server so I gave it a try but no go either. Add 'apache' to 'web', restarted httpd and it didn't take effect, rebooted the server and no effect. – Aaron Chamberlain Mar 18 '19 at 22:55
  • How are you running PHP? – Michael Hampton Mar 19 '19 at 16:56
  • @MichaelHampton Thanks for the question. Your question probably would have led to the solution had I not though of it myself just moments before. The purpose of the cloned VM/Server was to test php-fpm so it was the php-fpm user that didn't have permissions to the folder. – Aaron Chamberlain Mar 19 '19 at 17:16

1 Answers1

1

Finally managed to solve this. The entire purpose of this cloned server was to test out speed improvements from PHP-FPM. So since PHP evaluation is essentially offloaded to PHP-FPM, it doesn't matter if httpd has permissions, it matters whether the php-fpm process has permissions.

ps aux | grep php-fpm output:

root      5744  0.0  0.3 462268 14988 ?        Ss   16:45   0:00 php-fpm: master process (/etc/php-fpm.conf)
php-fpm   5745  0.0  0.9 467332 35196 ?        S    16:45   0:00 php-fpm: pool www
php-fpm   5746  0.0  0.4 466656 16528 ?        S    16:45   0:00 php-fpm: pool www
php-fpm   5747  0.0  0.3 466656 14032 ?        S    16:45   0:00 php-fpm: pool www
php-fpm   5748  0.0  0.3 466656 14028 ?        S    16:45   0:00 php-fpm: pool www

groups php-fpm:

php-fpm : php-fpm

So the ownership of my folder as apache:web is what doesn't fit. I just added the user php-fpm to the group web and changed things back to 775.

sudo usermod -aG web php-fpm

I would love comments on pros and cons of what I see as other possible solutions, especially from a security perspective:

1) Add php-fpm to the 'web' group.

2) Make php-fpm the owner, and httpd as member of web so it can still serve the files later.

Aaron Chamberlain
  • 381
  • 1
  • 3
  • 13