Lack of setgid on 'templates_c' results in sub-directories not having the correct permissions:

drwxrwx--x 4 aegir aegir 4096 mai 9 08:22 %%6B

but such directories must be aegir.www-data.

This was caused by 45a13e95180beb9c7d03fcbcfbca95725bc2af7e. 'fix-permissions' does not setgid on the directory.

So when a CiviCRM 'job' (cron) generates template files, it might create files with the wrong permissions, which can then not be accessed by the webserver, resulting in partial/empty pages in CiviCRM.

Comments

bgm created an issue.

bgm’s picture

bgm CreditAttribution: bgm at Coop SymbioTIC commented

Coop SymbioTIC workaround: override the fixpermission shell script:

https://github.com/coopsymbiotic/coopsymbiotic-ansible/blob/bc270250ecdf...

and https://github.com/coopsymbiotic/coopsymbiotic-ansible/commit/493afcecd0...

This will be difficult to hook/override cleanly in aegir-core without decoupling?

doka’s picture

doka CreditAttribution: doka commented

Confirmed the permission error, and the #2 patch works as workaround.

ShaneOnABike’s picture

ShaneOnABike CreditAttribution: ShaneOnABike commented

This worked although for some reason the user group had been changed to aegir:www-data, which I had to revert back in order for it to properly work. Although I would have thought setting the guid would have done that?

Perhaps the solution would be for us to create a new fix permissions script specifically for hosting civicrm so that it could repair everything after the other script has launched??

bgm’s picture

bgm CreditAttribution: bgm at Coop SymbioTIC commented

I feel that this should be in Aegir core. It's a form of coupling, but there is already plenty of civicrm-specific support in Aegir core. Doing it separately (with a new script) feels a bit overkill because we would need to re-implement everything (install, sudo rules, script..).