Reset File Permissions In Domain Group

MageStack provides extremely consistent file permissions across all services (SSH/FTP/Web) when used correctly. However, misuse/abuse of the root user or incorrectly manually set permissions can lead to both security and stability problems.

A script to reset permissions can be found in,

/microcloud/scripts_ro/domain-group_permfix.sh

There are a number of options that can be supplied to reset permissions,

domain-group_permfix.sh Usage:

domain-group_permfix.sh [domain-group] [domain]

  domain-group   Domain group (eg. example)
  domain         Domain name (eg. example.com)

Basic permissions

The script will set basic permissions by default, which should be sufficient for most users. This allows full read/write access for the www-data user in both the web and acc environment.

It is an effective means to reset permissions quickly without any ill effects, whilst less complex than advanced permissions, it is also less secure.

To fully understand basic permissions and the implications it has on chmod, you can visualise it like this,

chmod 770 /path/to/file
      |||
      ||└ Permissions for "everyone", this should almost always be set to 0
      |└─ Permissions for both acc and web servers
      └── Permissions for both acc and web servers

Advanced permissions

Advanced permissions introduces a form of isolation between the www-data user in the acc server from that in the web-server by changing the user ID.

Advanced permissions are not enabled per domain-group/vhost, but are instead enabled for all domain-groups/vhosts.

To fully understand advanced permissions and the implications it has on chmod, you can visualise it like this,

chmod 770 /path/to/file
      |||
      ||└ Permissions for "everyone", this should almost always be set to 0
      |└─ Permissions for web servers only
      └── Permissions for acc servers only

The defaults for advanced permissions set,

Permission Type
750 * Directories
740 * Files
700 cron.sh -
770 (media|var)/* Directories
660 (media|var)/* Files

Enable advanced permissions

Create the following file,

/microcloud/domains/.advanced_permissions_enabled

After which, execute the domain-group_permfix.sh script. The process may take a while, as it involves changing the user ID on all domain-groups/domains on your stack.

Disable advanced permissions

Remove the following file,

/microcloud/domains/.advanced_permissions_enabled

After which, execute the domain-group_permfix.sh script.

Using hooks

After the script applies the standard permissions, it may be necessary to execute a post-completion script to correct any permissions for custom modules/applications you have installed.

After the permissions are corrected for each domain, a post-completion bash script is created and executed, you can find it within the respect vhost's directory.

Eg. For example.com

/microcloud/domains/example/domains/example.com/.domain-group_permfix.post.sh

Examples

Basic: Reset permissions for example.com

Change directory to the domain that needs to be repaired and execute the script,

cd /microcloud/domains/example/domains/example.com
/microcloud/scripts_ro/domain-group_permfix.sh

Which results in,

example: example.com
  > Creating '.domain-group_permfix.post.sh' post-fix hook script
  > Fixing ownership ... OK
  > Fixing directory permissions ... OK
  > Fixing file permissions ... OK
  > Fixing cron permissions ... OK
  > Fixing media/var file permissions ... OK
  > Fixing media/var directory permissions ... OK
  > Running post script ... OK

Advanced: Reset permissions for all domains-groups/vhosts

Execute the script,

/microcloud/scripts_ro/domain-group_permfix.sh

Which results in,

Advanced permissions have been enabled, this will affect all domain groups and domains (not just the specified domain):
 - example

Press y, then Enter to continue, at the end of execution, you may be logged out for the changes to be applied properly.

example: example.com
  > Creating '.domain-group_permfix.post.sh' post-fix hook script
  > Fixing ownership ... OK
  > Fixing directory permissions ... OK
  > Fixing file permissions ... OK
  > Fixing cron permissions ... OK
  > Fixing media/var file permissions ... OK
  > Fixing media/var directory permissions ... OK
  > Running post script ... OK

To complete permission fix, press any key to continue (this may kill your session) ...

Using a post-completion script for WordPress Uploads

For example.com, to allow a WordPress installation in /blog to upload media, populate the completion script,

/microcloud/domains/example/domains/example.com/.domain-group_permfix.post.sh

With the following,

#!/bin/bash
chmod 770 /microcloud/domains/example/domains/example.com/http/blog/wp-content

Then execute domain-group_permfix.post.sh for the respective domain-group/vhost.