file and directory permission for developers

Tuesday 04 May 2010 6:05:51 am

Hi,

I'm the System Administrator of some servers (linux/debian) with several EZ installations.

Our developers need to work on a couple of EZ installations already in production, but, as suggested by EZ documentations, most of EZ directories and files are owned by the apache user and its group (www-data), so they cannot have permission to do it.

The question is: which EZ directories really need to be readable/writable/executable by www-data?

I'm sure we are not the only ones to face this issue, so I thank you in advance if you can suggest some links to previous answers (yes,I've tried the search function in this forum, but did not get anything)

/francesco

Wednesday 05 May 2010 11:03:33 am

Thanks Chris for the answer.

The problem is that there are more than one developer on each installation, and I don't want them to share the same account, so they normally own a file/dir, and give full permission to the 'users' group so others can work on it, too.

Then, as you said, you are not sure about your advice but I cannot make any mistakes (since all installation are in production already)...

So, does anybody have an answer?

(to be honest it seems a bit weird, to me, it's just us facing this issue: sure there should be some documentation already published, isn't it?)

ciao,

Francesco

Thursday 06 May 2010 1:07:18 am

@francesco "more than one developer on each installation" - I think you'd be better off using an scm tool where you can control complete change history on every file, rather than try to segregate developers using file permissions - at least as far as the dev and integration servers are concerned.

If you are talking about a prod server, giving each dev/admin an account, and making them all members of the same group is ok.

I confirm the list that Christian gave:

- by default only var/ needs to be writable

- var/autoload needs to be writable by apache if you want to be able to activate/deactivatate extensions via the admin gui

- settings/override, settings/siteaccess and extension/xxx/settings needs to be writable by apache if you want to be able to edit settings via the admin gui

- design/ and extension/xxx/design needs to be writable by apache if you want to be able to edit templates via gui

some more advice:

- you do not need to have stuff in var world-readable, if www-data is the group to which belong both the devs and apache. You can look for file permissions uses by ezp when creating things in config.php (EZP_INI_FILE_PERMISSION) , file;ini and image.ini

- if you run your cronjobs by processes other than apache, take care that if they crash they might leave lock files in the var/siteaccess/cache/ezmutex that later cannot be removed by apache. You can set up a cronjob to fix this

- setting up a cronjob that periodically checks for file perms is also a good idea if you fear your devs will create problems when uploading stuff with the bad provileges

Principal Consultant International Business
Member of the Community Project Board