By quilx on

Hello all, I would like to solve or to know if it is possibile to solve a permission related problem.

I run my webserver with the following configuration:

  • primary group: www-data
  • supplementary group: www-contents

The user who manages the drupal installation si named
"drupal" and has the following groups:

  • primary group: drupal
  • supplementary group: www-contents.

Once installed the drupal directory tree is owned by the
group www-contents. In this way

  • the user drupal can read and modify its contents;
  • the webserver can read its contents and if correctly
    set can modify it.

Now comes my problem.

Drupal needs to write the files under sites/default/files. I've
given to this folder the following permissions:

    drwxrws--- drupal  www-contents  web/sites/default/files

The folder is owned by the group www-contents and has the
setgid bit. The intention is that all the stuff  created under
it would receive the group www-contents. But this is not
what happens. Drupal plays some unexpected stuff with the
files it creates. Some files/folders are created here but Drupal
changes the perimssion bits, other files/folders are created
in other places (upload_tmp_dir in php.ini) and moved here. For
some files/folders Drupal takes into account the settings

    $settings['file_chmod_directory']
    \$settings['file_chmod_file']

in settings.php, but not for others (especially those under
sites/default/files/php).

Now I will mention below what I was able to do and what I
was not able to do... and I would ask for some suggestions.

  • I was able to do the following :

    <folder> sites/default/files/css
    <folder> sites/default/files/js
    <folder> sites/default/files/2023-02
    <folder> sites/default/files/media-icons

    receive the group www-contents and the setgid bit.

    This was solved by setting both 'chmod' settings in settings.php
    and upload_tmp_dir in php.ini. The folder configured in upload_tmp_dir
    that has the setgid.
     

  • But I was not able to set the permissions for

    files/php, file/php/twig/* files/styles

    Drupal creates these folders under sites/default/files
    and then removes the setgid bit. It doesn't play the same
    game with these folders as with those under sites/default/files/css (above)
    for example.

What options do I have to configure Drupal to assign the 
permissions I want to all the files under web/sites/default/files?
Am I going in the correct direction or a better choice would be
to have the user drupal belong to the group www-data, and give
up the group www-contents?

I also want to mention that there are a lot of folders under
php/twig that have the following permissions:

[drwxrwxrwx www-data www-contents        4096]  php
  [drwxrwxrwx www-data www-data       12288]  twig
    [drwxrwxrwx www-data www-data        4096]  63fce3ca92908_block.html.twig_oYLmjQ3eogxXz0i1BDiNQsQ1R

These permissions allow anybody to write stuff into these
folders!

Cristian
 

Categories: Drupal 9.x

Comments

timjohnson2584’s picture

timjohnson2584 commented

Great information, very comprehensive and easy to understand.