Reset File Permissions
Table of Contents
MageStack provides extremely consistent file permissions across all services (SSH/FTP/Web) when used correctly. However, misuse/abuse of the root
user or incorrectly manually set permissions can lead to both security and stability problems.
A script to reset permissions can be found in,
/microcloud/scripts_ro/domain-group_permfix.sh
There are a number of options that can be supplied to reset permissions,
domain-group_permfix.sh Usage:
domain-group_permfix.sh [domain-group] [domain]
domain-group Domain group (eg. example)
domain Domain name (eg. example.com)
Basic permissions
The script will set basic permissions by default, which should be sufficient for most users. This allows full read/write access for the www-data
user in both the web
and acc
environment.
It is an effective means to reset permissions quickly without any ill effects, whilst less complex than advanced permissions, it is also less secure.
To fully understand basic permissions and the implications it has on chmod
, you can visualise it like this,
chmod 770 /path/to/file
|||
||└ Permissions for "everyone", this should almost always be set to 0
|└─ Permissions for both acc and web servers
└── Permissions for both acc and web servers
Advanced permissions
Advanced permissions introduces a form of isolation between the www-data
user in the acc
server from that in the web-server
by changing the user ID.
Advanced permissions are not enabled per domain-group/vhost, but are instead enabled for all domain-groups/vhosts.
To fully understand advanced permissions and the implications it has on chmod
, you can visualise it like this,
chmod 770 /path/to/file
|||
||└ Permissions for "everyone", this should almost always be set to 0
|└─ Permissions for web servers only
└── Permissions for acc servers only
The defaults for advanced permissions set,
Permission | Type | |
---|---|---|
750 |
* |
Directories |
740 |
* |
Files |
700 |
cron.sh |
- |
770 |
(media|var)/* |
Directories |
660 |
(media|var)/* |
Files |
Enable advanced permissions
Create the following file,
touch /microcloud/domains/.advanced_permissions_enabled
After which, execute the permissions reset script. The process may take a while, as it involves changing the user ID on all domain-groups/domains on your stack.
domain-group_permfix.sh
Disable advanced permissions
Remove the following file,
rm /microcloud/domains/.advanced_permissions_enabled
After which, execute the permissions reset script,
domain-group_permfix.sh
Using hooks
After the script applies the standard permissions, it may be necessary to execute a post-completion script to correct any permissions for custom modules/applications you have installed.
After the permissions are corrected for each domain, a post-completion bash script is created and executed, you can find it within the respect vhost's directory.
Eg. For example.com
/microcloud/domains/example/domains/example.com/.domain-group_permfix.post.sh
Examples
Basic: Reset permissions for example.com
Change directory to the domain that needs to be repaired and execute the script,
cd /microcloud/domains/example/domains/example.com
/microcloud/scripts_ro/domain-group_permfix.sh
Which results in,
example: example.com
> Creating '.domain-group_permfix.post.sh' post-fix hook script
> Fixing ownership ... OK
> Fixing directory permissions ... OK
> Fixing file permissions ... OK
> Fixing cron permissions ... OK
> Fixing media/var file permissions ... OK
> Fixing media/var directory permissions ... OK
> Running post script ... OK
Advanced: Reset permissions for all domains-groups/vhosts
Execute the script,
/microcloud/scripts_ro/domain-group_permfix.sh
Which results in,
Advanced permissions have been enabled, this will affect all domain groups and domains (not just the specified domain):
- example
Press y
, then Enter
to continue, at the end of execution, you may be logged out for the changes to be applied properly.
example: example.com
> Creating '.domain-group_permfix.post.sh' post-fix hook script
> Fixing ownership ... OK
> Fixing directory permissions ... OK
> Fixing file permissions ... OK
> Fixing cron permissions ... OK
> Fixing media/var file permissions ... OK
> Fixing media/var directory permissions ... OK
> Running post script ... OK
To complete permission fix, press any key to continue (this may kill your session) ...
Using a post-completion script for WordPress Uploads
For example.com, to allow a WordPress installation in /blog
to upload media, populate the completion script,
/microcloud/domains/example/domains/example.com/.domain-group_permfix.post.sh
With the following,
#!/bin/bash
chmod 770 /microcloud/domains/example/domains/example.com/http/blog/wp-content
Then execute domain-group_permfix.post.sh
for the respective domain-group/vhost.