0
We have a couple Apache VirtualHosts on a CentOS 7 server, and the PHP sometimes requires the ability to create/edit/delete files and/or folders, so it's important that the permissions always be apache.apache recursively.
The deployments are done via Jenkins, as the Jenkins user, and I know I can just add a simple shell execution to chown -R apache.apache /var/www/website, and I will, but if someone other than myself does a manual deployment, or anything that would change the permissions, such as creating a new file or folder, then it could potentially cause some issues.
I thought about just making a cron job to chown the entire directory every so often, but there's going to be 4 different VHosts, and possibly a large amount of files for each, so doing that frequently isn't optimal, but then again, not doing it frequently means there could be issues between when the perms were changed and the cron job runs.
So does anyone know of a good way to make sure the owner is always set for a specific directory? (recursively) regardless of what user does what?
I first thought of Sticky Bits.. but I that would only work for the permissions, not ownership.
I then thought about using something like entr, which I found under a simple google search. It's not available in any repo I could find, so you have to install it manually, but it basically fires off commands you specify when it sees any changes in folders/files, so something like
ls -d /var/www/foo.company.com | entr sh -c 'chown -R apache.apache /var/www/foo.company.com && echo "Chowned at $(date)" >> /var/log/entr.log'
would suffice... But I'm sure there's a solution that doesn't require manually installing this binary on the servers (I try to manage the packages via yum as much as possible)
Any help would be appreciated!
Thank you
Update
Zoredache mentioned that I should just add the apache user to the other users group that requires write permissions (which is jenkins, since thats how im doing deployments), then set the group permission ID bit (chmod 2775).
I like this approach, but now I'm running into an issue.
Here's the console commands/output related to the permissions
[root@svr www]# chown -R apache.apache www.company.com
[root@svr www]# chmod -R 2775 www.company.com
[root@svr www]# getfacl www.company.com/
# file: www.company.com/
# owner: apache
# group: apache
# flags: -s-
user::rwx
group::rwx
other::r-x
[root@svr www]# ls -l
total 0
drwxrwsr-x. 2 apache apache 6 Apr 29 09:47 www.company.com
So it looks ok right? However when I try a deployment, I get a permissions issue... But if I change the directory back to 0775, it works. Why wont it work when I set the sgid?
Justin
Posted 2016-04-29T16:56:26.117
Reputation: 153
Why does apache need ownership? Just put apache in a group that will have write access to the required directory, and set group id bit on the directories (not the sticky bit). So
2775for the directory apache needs write access to. – Zoredache – 2016-04-29T17:29:09.653That may help, but Is there a way to permanently
chmod g+rwx? I use Jenkins for deployments, and I have Jenkins in the apache group (and vice versa), and illchown -R apache.apache /var/www && chmod -R 775 /var/www, so since jenkins user is in the apache group, it can rwx, but right when the deployment starts, for some reason, the write access for the group drops... cant figure out why. So if theres a way to give write access to the group in a way that it cant be undone (unless by root), that would work – Justin – 2016-04-29T20:53:10.570If all the directories are 2775, and the umask of all the people/processes writing to the directory is 0002, than ever file will be owned by the group, and group writeable. – Zoredache – 2016-04-29T21:00:54.653