Table of Contents

Filesystem Permission Scheme

Filesystem Permission Scheme

FIS’s instance is hosted on a Linode, where we have full root access and distinct users for each staffer. We may also need to give consultants like Sarah Gladstone filesystem access to a dev site while restricting access to the prod site.

A typical problem in multi-user environments is that one developer’s edits may cause the file to be uneditable by other developers, or unreadable by the web server. This is especially common with CiviCRM caches -- when they are cleared via the UI, attempting to clear them via the command line results in errors, and vice versa.

We address this problem using filesystem ACLs. Filesystem ACLs are masked by traditional filesystem permissions -- e.g., in the case where a file’s permissions have been set via chmod u=r somefile, files ACLs cannot be used to grant a particular user write access. To give ourselves maximum flexibility in defining our ACLs, file ownership is set to nobody:nogroup and permissions are granted broadly, allowing the following configurations to be made via ACL:

  • Group devs is given permission to read and write any file under the web root.
  • User www-data is allowed to read anything under the web root and to write to the files directories.

This snippet from FIS’s custom restage script may be informative.