Here is the problem.
Cache stores in app/cache folder. I'm currently work under dev environment and my cache stores in app/cache/dev folder. Problem appears when I use symfony console comand for cache clearing:
php app/console cache:clear
when I try to load my project localhost/symfony/dev_app.php I receive an error:
RuntimeException: Failed to write cache file
I've installed setfacl extension, because Debian does not support chmod a+ and here is what I've done:
At first, I checked which user used when http requests performed:
ps aux | grep http
ahmed 7219 0.0 0.0 7552 884 pts/0 S+ 19:51 0:00 grep http
Then I cleared app/cache folder by performing
rm -rf app/cache/*
Next step was:
setfacl -R -m d:u:ahmed:rwx,ahmed:rwx app/cache
As I understand, this command sets default permissions for user ahmed on app/cache folder and it current and new subfolders and files.
In my console I work under ahmed user.
After all this steps I loaded localhost/symfony/dev_app.php and cache was created. Then
php app/console cache:clear
And once again **ocalhost/symfony/dev_app.php* to create new cache. But I still receive this error
RuntimeException: Failed to write cache file "/var/www/local/symfony/app/cache/dev/classes.php".
So what am I doing wrong?
Here is the listing of getfacl for app/cache/dev
ahmed#ahmed:/var/www/local/symfony$ getfacl app/cache/dev
# file: app/cache/dev
# owner: root
# group: ahmed
# flags: -s-
user::rwx
user:ahmed:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ahmed:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
The web server group (probably www-data) needs to be able to write to the cache and so does your user. Your user (ahmed) should be a member of the www-data group (note that you will have to re-login for group membership to take effect). Setting the setgid bit (+s) on app/cache and app/logs will ensure that files and directories your user creates within those will maintain group ownership by www-data. Uncomment the umask(0002) line within app_dev.php so that files created by www-data will maintain group ownership, make sure YOUR user has a umask of 0002 (type umask at prompt to see, or umask 0002 to set, and google for help on setting this at login) and ensure that your permissions look something like:
drwxrwsr-x 13 user www-data 4096 2013-05-10 11:05 dev
When your user ahmed creates files/directories within the directory owned by ahmed.www-data with +s, you should find that they are also owned by ahmed.www-data.
Related
How can I prevent changing the ownership of a file?
I have a file with permission as follows:
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
As part of RPM package installation, I am running a script which is supposed to write data into NCI_Constellation.proj file. Whereas the permission of the file is getting changed as follows during package installation and the writing to the file is not happening.
-rw-r-----. 1 root root 1689 May 8 14:54 NCI_Constellation.proj
Is there a way to not change the ownership of NCI_Constellation.proj file and keep it as it is as follows so that I will be able to write data to the file?
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
Please help.
The question is: what package does that file belong to and with what permissions?
rpm -qf /path/to/NCI_Constellation.proj
will give you the package owning this file (let's say NCI.rpm). Then
rpm -qlv NCI.rpm | grep NCI_Constellation.proj
will give you the owners and rights of this file as packaged by NCI.rpm. If you are the one packaging NCI.rpm; you should put something like this in your %files section:
%files
%attr(640,netcool,ncoadmin) /path/to/NCI_Constellation.proj
By the way make sure that you really can write to the file with those permissions; test that first... Who is running the script to change this file? As which user? then run it yourself manually as that user to make sure these file permissions will suffice.
you have two options in my opinion,
first : set netcool to root group by doing this:
$ sudo usermod -a -G root netcool
with this command you user is able to change and modify the file even after the permissions changed.
second : set netcool user a second root user by changing /etc/passwd file.
for this open the file with every file-editor you want then change UID and GID to 0. after doing this if you run $ grep netcool /etc/passwd you should see :
netcool:x:0:0: {the rest may change for anybody}.
We can prevent the changing of group of file by using setgid bit on directory. So if you add user netcool to ncoadmin and give write permission to ncoadmin then you can edit the file. Here is how you can set the SetGid bit on directory.
chmod g+s your_directory_containing_file(NCI_Constellation.proj)
Bit more about the setgid on directory:
setgid can be used on directories to make sure that all files inside the directory are owned
by the group owner of the directory. The setgid bit is displayed at the same location as the x
permission for group owner. The setgid bit is represented by an s (meaning x is also there)
or a S (when there is no x for the group owner). As this example shows, even though root
does not belong to the group proj55, the files created by root in /project55 will belong to
proj55 since the setgid is set.
root#RHELv4u4:~# groupadd proj55
root#RHELv4u4:~# chown root:proj55 /project55/
root#RHELv4u4:~# chmod 2775 /project55/
root#RHELv4u4:~# touch /project55/fromroot.txt
root#RHELv4u4:~# ls -ld /project55/
drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/
root#RHELv4u4:~# ls -l /project55/
total 4
-rw-r--r-- 1 root proj55 0 Feb 7 17:45 fromroot.txt
I was changing user and group ownership using the following command:
sudo chown -R apache:www /var/www
However, I noticed that whenever I added a new file or folder to that directory, the owner would be my current username instead of the intended user, apache. How can I modify the above command so that all future folders and files will be owned by apache:www? Or do I need to use an extra command?
You can use ACLs to do this. For example:
$ ls -ld /var/www
drwxr-xr-x 2 apache www 4096 Aug 7 13:53 /var/www
$ sudo setfacl -dRm u:apache:rwX,g:www:rwX /var/www
$ ls -ld /var/www
drwxr-xr-x+ 2 apache www 4096 Aug 7 13:53 /var/www
$ getfacl /var/www
# file: var/www
# owner: apache
# group: www
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:www:rwx
default:mask::rwx
default:other::r-x
When new files are created there by they will still be owned by your user, but there will also be an ACL set on it granting privileges to the apache user:
$ touch donkey
$ ls -l donkey
-rw-rw-r--+ 1 gene gene 0 Aug 7 13:57 donkey
$ getfacl donkey
# file: donkey
# owner: gene
# group: gene
user::rw-
user:apache:rwx #effective:rw-
group::rwx #effective:rw-
group:www:rwx #effective:rw-
mask::rw-
other::r--
An overview of the command:
setfacl -dRm u:apache:rwX,g:www:rwX /var/www
The -d flag specifies the operations apply to the Default ACL.
The -R flag sets operations to apply recursively
The -m indicates it will be a modification operation
Then after that it's pretty straight forward
u:USERNAME:permissions
g:GROUPNAME:permissions
These entries must be separated by a comma.
The X permission (note: it's uppercase) means it will only be applied to directories and not files.
You can achieve that on the group level by using the SETGID (SET Group ID) flag of chmod:
chmod g+s <directory>
From the docs:
On most systems, if a directory’s set-group-ID bit is set, newly created subfiles inherit the same group as the directory, and newly created subdirectories inherit the set-group-ID bit of the parent directory.
Once you set that, newly created files and directories inside <directory> will be set to <group>. e.g.
chmod g+s /srv/www
will cause newly created files and directories inside /srv/www to have the group www.
You can verify that by executing ls -al which will show s for the group "execute" permission on the directory. e.g.
drwxr-sr-x. 5 apache www 4096 Mar 13 20:32 www
^
SETGID
My guess is you need to change user before executing the command - a script something like this:
$whoami
user1
$ su - apache
Password:
$ whoami
apache
[add file]
$ exit
I setup a virtualhost for Apache server on Linux, set the document root to /home/someuser/www
Now the permission of /home/someuser/www is default, the problem is Apache can not write to /home/someuser/www
Is there a way to make sure Apache has ability to read&write to /home/someuser/www, I do not want to set www/ as 777.
At the moment, there is a folder named cache/ in www/, when apache generate cache files in cache/ folder, I want to use my user to make change to www/cache/*.
Thanks.
Add the www-data to your user group. As root, replace <groupname> by the user group name:
usermod -a -G <groupname> www-data
Allow the group to read/write in the folder and setgid:
chmod -R g+rws /home/someuser/www
On a Ubuntu machine I've setup a SVN repository, served with Apache.
All the SVN repository folders and subfolders (located under /var/svn/repos/) belongs to www-data user and group:
drwxr-xr-x 7 www-data www-data 4096 gen 21 10:38 software_repository
www-data is the Apache user.
Next I've a cron job that makes a nightly svnadmin dump of the repository, using my home user, let's say john_doe (joining the www-data group too). svnadmin dump command (and more...) are contained in a sh file called by the crond.
During cron job or launching it manually using user john_doe I get:
svnadmin: E160052: Revprop caching for '/var/svn/repos/sw/software_repository/db' disabled because SHM infrastructure for revprop caching failed to initialize.
svnadmin: E000013: Can't open file '/var/svn/repos/sw/software_repository/db/rev-prop-atomics.mutex': Permission denied
Because of Permission denied error, I've run the same sh script prepending sudo command, and everything works fine.
So, we have 2 possibilities:
Understand where the SVN error come from.
Change permissions in a correct way for the john_doe user, used by cron.
For point #1 I've done some Google search but I've found nothing...
For point #2, I think the correct way is not to set all permissions (recursively) of the group www-data to all SVN folders and subfolders. What it could be done is to share permissions on SVN folders between www-data user and john_doe. Or give to the www-data group the same permissions (recursively) of the www-data user. Or something else, but for both solutions I've no idea of the correct command or configuration setting.
Solved running command:
chmod -R g=u software_repository
This fix is for solution 2. By the way I've no clue where the SVN errors come from...
I want to create a file in a directory owned by the staff group which I am a member of. Why can I not do this?
bmccann#bmccann-htpc:~$ ls -l /usr/local/lib/R/
total 4
drwxrwsr-x 2 root staff 4096 2010-07-31 16:21 site-library
bmccann#bmccann-htpc:~$ id -nG bmccann
bmccann adm dialout cdrom plugdev staff lpadmin admin sambashare
bmccann#bmccann-htpc:~$ touch /usr/local/lib/R/site-library/tmp
touch: cannot touch `/usr/local/lib/R/site-library/tmp': Permission denied
Did you logout and log back in after making the group changes? See:
Super User answer involving touch permissions failure
I had the same issue, check if the folder has any more ACL rules or not!
If you can see + (plus sign) when you list folder, that means it has special access rules. For example:
[user_in_apache_group#web02 html]$ ls -l
total 16
drwxrwxr-x 16 apache apache 4096 Sep 4 13:46 ilias
drwxrwxr-x+ 15 apache apache 4096 Sep 4 13:46 ilias5
View the permission:
[user_in_apache_group#web02 html] getfacl ilias5
# file: ilias5
# owner: apache
# group: apache
user::rwx
user:user_in_apache_group:r-x
group::rwx
mask::rwx
other::r-x
So that means my user (user_in_apache_group) has no write permission for that folder.
The solution is what #techtonik said, add write permission for user:
[user_in_apache_group#web02 html]$ sudo setfacl -m u:user_in_apache_group:rwx ./ilias5
Check permission again:
[user_in_apache_group#web02 html] getfacl ilias5
...
user:user_in_apache_group:rwx
...
Hope it helps. ;)
Why can't Linux user edit files in group he is a part of?
I am using Ubuntu 12.04 and had the same problem where a user cannot write to a file to whom he is allowed group access to. For example:
whoami //I am user el
el
touch /foobar/test_file //make a new file
sudo chown root:www-data /foobar/test_file //User=root group=www-data
sudo chmod 474 /foobar/test_file //owner and others get only read,
//group gets rwx
sudo groupadd www-data //create group called www-data
groups //take a look at the groups and see
www-data //www-data exists.
groups el //see that el is part of www-data
el : www-data
Restart the terminal now to ensure the users
and groups have taken effect. Login as el.
vi /foobar/test_file //try to edit the file.
Produces the Warning:
Warning: W10: Warning: Changing a readonly file"
What? I've done everything right why doesn't it work?
Answer:
Do a full reboot of the computer. Stopping the terminal isn't enough to fix these problems.
I think what happens is apache2 also uses the www-data group, so the task was somehow preventing the users and groups from being enforced correctly. Not only do you have to logout, but you have to stop and restart any services that use your group. If a reboot doesn't get it, you've got bigger problems.
Use Linux ACL (access control lists) - it is more fine-grained version of permission system,
setfacl -R -m 'group:staff:rwx' -m 'd:group:staff:rwx' /usr/local/lib/R/
This sets both active rights for directory and default rights for anything created within.
This fails to work without relogin if you've just added yourself to the staff group, but you may set the permission only for yourself for the current session.
I had an issue when a user could not access the /foo/bar/baz directory even when he had permissions because he did not have an access to the bar directory.
Maybe your hard disk is full. use this command to check out the "/dev/..." rows.
df -h
Check if your parent directory have permission before you add content to that file
sudo chmod -R 777 /yourDir/file.log