I'm trying to figure out how I would go about setting permissions (and ownership) that will just stick for a directory and its recursive contents, when creating new files or folders.
I'm using the XAMPP bundle under Ubuntu, which provides me with Apache (among other services).
By default Apache using XAMPP is configured to run under user daemon and group daemon.
I use the setgid bit to propagate the daemon group to newly created files and directories.
I also use ACL because when a component gets installed the owner is daemon and the group is daemon. So I also give myself ($THEUSER) permission via setfacl (as I would like to be able to edit files and create new files and directories).
But when the Joomla component gets installed by means of uploading a ZIP-file the user $THEUSER only gets read and execute permissions.
When I do a getfacl /opt/lampp/htdocs/joomla/administrator/components/com_mycomp) I get this before installing the com_mycomp component and after running the script:
# file: opt/lampp/htdocs/joomla/components/com_mycomp/
# owner: theuser
# group: daemon
# flags: -s-
user::rwx
user:theuser:rwx
group::r-x
group:daemon:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:theuser:rwx
default:group::r-x
default:group:daemon:r-x
default:mask::rwx
default:other::r-x
Also, ls -ld for that directory then gives:
drwxrwsr-x+ 8 theuser daemon 4096 okt 19 10:02 /opt/lampp/htdocs/joomla/administrator/components/com_mycomp/
Then after installing (if it is already installed then deinstall first) the component I getfacl gives:
# file: opt/lampp/htdocs/joomla/components/com_mycomp/
# owner: daemon
# group: daemon
# flags: -s-
user::rwx
user:theuser:rwx #effective:r-x
group::r-x
group:daemon:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:theuser:rwx
default:group::r-x
default:group:daemon:r-x
default:mask::rwx
default:other::r-x
Permissions shown by ls -ld remain the same (which is okay).
For anyone wondering about the group permissions being displayed wrong by ls: this is because the rw part of the rws part refers to the mask displayed by getfacl instead of the real permissions (another question answered that).
Note that the effective permissions for user theuser is: r-x and write has been taken away. How do I fix that? Do I need to change some setting inside Joomla? Or can it be solved using something outside of Joomla itself?
I'm using the script below to set initial permissions. Executing it as follows as user theuser:
sudo securepermissions.sh /opt/lampp/htdocs/joomla
This is the script:
#!/bin/bash
if [ ! -d "$1" ]; then
echo -e "Error: folder doesn't exist or no folder given.\n"
exit 1
fi
# XAMPP uses the 'daemon' group for Apache.
WWWGROUP="daemon"
# Script should be executed using 'sudo'.
THEUSER="$SUDO_USER"
# The Joomla-directory to set permissions for.
JOOMLADIR="$1"
# NON-ACL steps first.
# User needs to be able to read/write everything.
chown -R $THEUSER:$WWWGROUP "$JOOMLADIR"
# 2755 for directories; 0644 for files.
find "$JOOMLADIR" \( -type d -exec chmod 2755 {} + \) -o \( -type f -exec chmod 0644 {} + \)
# ACL-steps second.
# First remove existing ACL entries.
# And set ACL-permissions recursively for directories who should not be writable by web-server.
setfacl -bk "$JOOMLADIR" \
-Rm m::rwx,d:m::rwx,u:$THEUSER:rwX,g:$WWWGROUP:rX,d:u:$THEUSER:rwX,d:g:$WWWGROUP:rX "$JOOMLADIR"
# Set ACL-permissions recursively for folders which should be writable by web-server:
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/components"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/language"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/manifests"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/modules"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/templates"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/components"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/images"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/language"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/libraries"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/media"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/modules"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/plugins"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/templates"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/cache"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/cache"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/administrator/logs"
setfacl -Rm g:$WWWGROUP:rwX "$JOOMLADIR/tmp"
# Extra restrictive permissions for configuration.php:
setfacl -m g:$WWWGROUP:r,o:0000 "$JOOMLADIR/configuration.php"
