Posted by ldweeks on January 11, 2010 at 6:38pm
Fair warning: I'm a relative noob when it comes to server admin.
I have a server running ubuntu 9.04 and aegir. In order to do work on the server, I have to login with my own username and password over SSH, switch to the aegir user (who cannot login to the server), and then do what I need to. I'm working on a module right now, and it's very annoying to go through that entire rigamarole in order to do my work. I also have a guy working on a theme, and I had to change the theme owner to something other than aegir in order for him to be able to SFTP in and do his work.
What are the best practices (heck, I'd be happy with "less annoying practices") in terms of giving myself (and perhaps others) read/write access to files on the server?
Thanks!
Comments
Quick answer: the best way at
Quick answer: the best way at the moment, is to add the relevant user(s) to the 'aegir' group.
Then make sure that the files and dirs are owned by aegir:aegir (where required) and that the group can write to the files (i.e chmod 2774 or something).
Obviously some directories groups are www-data for uploading files such as the files/ dir itself in a site.
But yes if the theme in question is writable by the aegir group, and the guy is a member of the aegir group, then he should be able to modify those files as needed over SFTP.
After you add him to the group he will need to logout and log back in if he isn't already logged out at the time.
good luck!
Slow answer: Linux ACLs
Ok, first off apologies ldweeks bu this conversation may go a bit beyond 'relative noob' level, but I'm glad it's come up because it's been playing on my mind for a while.
I use Linux ACLs to achieve this. This allows you to apply extra permissions to files and directories above the standard user:group:other permission sets. So, for example, I set the following permissions up in addition to those that are set by aegir.
The file system that contains your Drupal sites needs to be mounted with acl's enabled, and you'll also want to 'aptitude install acl' to get the getfacl and setfacl commands. Usage of those is probably too involved for this thread, their man pages will explain.
I actually think this is something that Aegir will need to address at some point, and support for ACLs would be a good option. By provisioning a site for someone, you are going to have to give them access to the filesystem to install modules, and are therefore probably going to want more granular permissions than what is currently available. At present, the only way to do so is to change the ownership of the site files in a way that will break Aegirs migration, backup, clone, etc commands, or just give the user carte blanche to every site Aegir site on the server.
Of course, a savvy user could install a Drupal module to allow the web server to browse other users files (unless using ITK or similar ... is anyone doing so in production?), but thats a whole 'nother story ...
Malc
FYI: for more info on ACL see
FYI: for more info on ACL see http://www.vanemery.com/Linux/ACL/linux-acl.html, it helped me
Nice response Malc. We did
Nice response Malc. We did have an itk extension written for Aegir in much earlier days but it was pulled out due to scope difficulties during an earlier release cycle. I imagine something similar will be reintroduced at a later date but it is probably outside the scope of the 6.x-0.4 stable release.
Thanks Malc for the
Thanks Malc for the informative post. You seem to imply that you're not happy with that setup- that there are incompatibilities with Aegir- could you please explain why that is/what those are? I would like to use Aegir to manage a number of client sites; obviously one client shouldn't be able to access another's files, while they should have total control over their own files (to add custom modules and themes). Such a configuration seems completely impossible with basic Unix permissions.
Another hurdle I'm trying to figure out is how to maintain the various Drupal platforms (core installations) while keeping all of the individual site files in users' home directories. (this makes backing up way easier- all of each user's files are in one place!) I'm thinking this could be done by symlinking each site in the Aegir platform to the actual site directory in
/home/user/drupal/example.com, but I imagine Aegir won't be very happy about this... any brief thoughts on how to solve this? (sorry for the small hijack!)Dane, The problem is really
Dane,
The problem is really with PHP / Apache, not Aegir specifically. I'd say the problem is widespread for shared PHP hosting, and probably most Aegir installations would be susceptible to something like the following:
I've actually seen Joomla modules in the wild like this, but never seen a Drupal one. I suspect they exist though.
The solution is to run each virtualhost as a different user, but there really isn't any nice way to do this that I'm aware of. As mig5 pointed out, mpm-itk has been tried but kind of dropped, and as far as I can see it is not actively maintained any more. One thing I have read about it (but haven't had the chance to confirm) is that each Apache process has a lifetime of one request. If this is true it's basically a non starter from my point of view.
Probably the most commonly used method is using FastCGI and Suexec. This seems to have a few limitations but basically works and seems to be the most commonly deployed mechanism by people running shared hosting. I have had this running in test environments, but have never tried it with Drupal.
If anyone has any better solutions I'd be keen to hear.
I've kind of stopped using Aegir now, because I need lots of different users to be able to upload files, modules, etc, and despite my best efforts the permissions usually get stuffed enough for Aegir to not be able to run upgrades, do backups, etc. In the end it just became easier to manage it manually.
I actually use something similar to your proposed set up of site dirs in the user directories symlinked from the core installs. I use Puppet to manage the roll out of apache configuration over multiple web servers, and a few convenience scripts for setting up / checking out scm, managing modules, etc. I suspect you may be able to configure Aegir to do but not sure how much work this would be and what sort of overhead you would incur reapplying to each Aegir upgrade. Going against the grain like this in Drupal usually ranges from painful to agonising in my limited experience ;) That said, Aegir is one of the better pieces of code in the Drupal world so it may not be so bad.
SELinux & LinuxACL
First I have no hands on experience with SELinux, but was wondering if anyone has done any thought as to how well SELinux would fit with AEgir's security plans. And how it compares with the mentioned ACL as far as ease of use and implementation.
http://selinuxproject.org/page/Main_Page
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
Cross-platform?
Unless you are planning to exclude (or code separate systems for) WAMP and MAMP, perhaps ACL or SEL should be done as an optional add-on. I've already heard complaints about the default permissions being a problem in deploying Aegir on MAMP.
newly created sites
Hello,
how do you set permission bits/ACLs on newly created sites? Is there any way to override default
permissions? e.g. set ACL for drushrc.php which is readable only for aegir user, Are there any
reasons why there's so strict permissions?