How to correctly configure ownerships / rights for a Symfony2 website on Debian

Question

I want to manage a Claroline website, (based on Symfony 2). So for my site mysymfony.com installed for user "theclient"

1 - 0 I added theclient to the www-data group : adduser theclient www-data

1 – 1 - modified /etc/hosts :

127.0.0.1   mysymfony.com

1 – 2 -created vhost /etc/apache2/sites-available/mysymfony.com :

<VirtualHost *:80> 
        ServerName mysymfony.com 
        DocumentRoot /var/www/mysymfony.com 
        <Directory /var/www/mysymfony.com/> 
                Options -Indexes 
                AllowOverride all 
                Order allow,deny 
                allow from all 
        </Directory> 
        ErrorLog ${APACHE_LOG_DIR}/error.log 
</VirtualHost>

1 – 3 - Actived : a2ensite mysymfony.com

1 – 4 - Reload server : service apache2 reload

1 – 5 - link to var/www :

ln -s /home/theclient/www/mysymfony.com/ /var/www/mysymfony.com

Then as root I :

1 – 6 - change ownership : chown -hR theclient:www-data /home/theclient/www/mysymfony.com

1 – 7 - change rights : chmod -R 755 /home/theclient/www/mysymfony.com and for the directories and files that can be written into :

chmod 775 app/cache/ app/logs/ app/config/ files/ templates/ vendor/ web/
chmod -R 775 app/cache/ app/logs/ vendor/ web/ 
chmod 775 composer.json composer.lock app/config/bundles.ini app/config/parameters.yml app/config/platform_options.yml

With this configuration i can correctly install the website (with the webinstaller or console based).

If i install a plugin as root, the plugin directory, its content, all Symfony config files et cache files are root:root => I need to redo a : chown -hR theclient:www-data /home/theclient/www/mysymfony.com Uploaded files belong to www-data:www-data (which is expected, but is not practical with scripts from user theclient. Same "problem" of files/directory ownership happen when flushing the cache (as root)

So it's not a bug, but if i want to be able to manage daily this site (develop/try/install plugins, flushing cache, upgrade ...)

So my question is could you provide a "precise" way of setting this kind of website (rights/ownership, management...) ?

Should "chown" and "chmod" be used there other than for the initial setting ? Thank you

score 1 · Answer 1 · answered Jan 28 '15 at 15:23

1

There are 4 precise ways to solve this problem outlined in official documentation: http://symfony.com/doc/current/book/installation.html#running-the-symfony-application Just scroll down to "Setting up Permissions" :)

answered Jan 28 '15 at 15:23

Mantas

4,259
2
27
32

Thanks for the link but, this is only for app/logs app/cache. What about when installing a plugin (cf above) : i got root:roo for the vendor plugin set. And more generally, what should be a general setting (or workflow of setting) for this kind of website (ie with dynamic generated content and console management) – Overdose Jan 28 '15 at 16:55

score 0 · Answer 2 · answered Jan 28 '15 at 17:27

0

You answered your own question:

If i install a plugin as root, the plugin directory, its content, all Symfony config files et cache files are root:root

DO NOT RUN composer or symfony scripts as root! Why would you? Run it as the client user.

If you have sudo you can open a shell as "theclient" with:

sudo -s -u theclient

answered Jan 28 '15 at 17:27

Frieder

1,208
16
25

I'm not sure what that implies. (Should i set special visudo lines for theclient). In any case, if, as theclient, i do : `composer update` in my symfony dir, after adding a line in the composer json, the installing is ok until symfony tries to clear the cache and then throws an error because some cache directories/files are generated by www-data:www-data (which is expected) and not (thecleint:www-data), although i added theclient to www-data group. So in this other error case would sudo help me ? In that particular case,i can only flush the cache as root (or www-data maybe) and do a shown... – Overdose Jan 30 '15 at 10:03
Ok, I see your problem now. It is your webserver setup. You do not run symfony as theclient (if you use it with the webserver php and not php-cli) but you run it as the user www-data. I assume you use apache and mod_php? This is general a bad idea. There are two solutions: – Frieder Jan 30 '15 at 12:24
I added a new answer because comment was too long and I can edit it 5min after first save. – Frieder Jan 30 '15 at 12:32

score 0 · Answer 3 · answered Jan 30 '15 at 12:31

Ok, I see your problem now. It is your webserver setup.

You do not run symfony as theclient (if you use it with the webserver php and not php-cli) but you run it as the user www-data. I assume you use apache and mod_php? This is general a bad idea. There are two solutions:

Keep your current setup, but then you have to run php-cli (composer and symfony commands) as www-data and a lot of files will be owned by www-data:www-data, but that is no problem, since your client is in the www-data group and can read and write those files. But this is not a good practice (you have to rely on openbase_dir or your client can read all your www-data files).
Change your webstack to use apache + mod_proxy_fcgi + php-fpm then you can run php as the correct user and all your problems (and many more of mod_php) are gone. There are good tutorials how to install php-fpm: https://wiki.apache.org/httpd/PHP-FPM

Thank you. Indeed, i use apache and mod_php. I will look into your solution apache+mod_proxy_fcgi+php-fpm. i never knew mod_php would be a "bad" idea, in my case, for ownership reasons. — Overdose, Jan 30 '15 at 14:20

How to correctly configure ownerships / rights for a Symfony2 website on Debian

3 Answers3