Menu
▾
▴
Re: [VuFind-Tech] Write Permissions
|
From: Osullivan L. <L.O...@sw...> - 2013-06-19 14:09:56
|
Hi Folks, I've eventually managed to get some settings which appear to work for me. The only query I have is are the permissions in config.ini a little broad? I found that it was necessary to use 776 to enable the archives users to traverse and update directories created by the webserver user... VuFind User = archives Web Server = www-data archives is in the www-data group : uid=1002(archives) gid=1002(archives) groups=1002(archives),27(sudo),33(www-data) config.ini umask = 002 dir_permission = 0776 file_permission = 666 local/cache drwxrwsr-x 6 www-data archives 4096 Jun 19 15:01 cache/ Sample Cache File -rw-rw-r-- 1 www-data www-data 9369 Jun 19 15:00 Thanks, Luke On 06/19/2013 02:48 PM, Tod Olson wrote: That sort of depends on your sysadmin style. Here, I do everything as user "tod", and everyone else working on VuFind uses their own logins. So we have a "vufind" group that we all belong to which has all of the group perms in each instance. If more than one person will be working in a particular VuFind instance at the same time, we can also log in as user "vufind" (ssh public key only, no password) for the purposes of starting and stopping the jetty process. Sudo would be another way to address this. Some sysadmins prefer a 'tod-admin' approach, which would have root-like permissions, but that's not the local inclination. And our production instance will be housed by central IT, and they tend towards sudo for anything administrative. Best, -Tod On Jun 19, 2013, at 8:33 AM, Osullivan L. <L.O...@sw...><mailto:L.O...@sw...> wrote: So, would you have different users for vufind ownership or would you just add them to multiple groups? Thanks, Luke On 06/19/2013 02:27 PM, Tod Olson wrote: I agree completely. And Demian points out something I neglected to mention in my writeup: we set a default umask of 002 for users on these hosts. That's pretty important. -Tod On Jun 19, 2013, at 8:09 AM, Demian Katz <dem...@vi...><mailto:dem...@vi...> wrote: I think it makes sense to make the users running VuFind CLI tools members of the www-data group for cache permission purposes. Also, if you find that the cache isn’t getting the permissions you think it should, check your umask setting – sometimes the default is very restrictive and prevents write access from being assigned at the group level. - Demian From: Osullivan L. [mailto:L.O...@sw...] Sent: Wednesday, June 19, 2013 8:57 AM To: Tod Olson; vuf...@li...<mailto:vuf...@li...> Subject: Re: [VuFind-Tech] Write Permissions Hi Tod, I've been having a platy about with permission settings and can't seem to get things right. Hopefully, if you have time, you could offer some further advice? The situation is slightly complicated as I'm running three versions of VuFind2 on our test server. Each has their own user cronfa, archives and ifind. For each user, I export the VUFIND_HOME and VUFIND_LOCAL_DIR in .bashrc so that when I run things like ./vufind.sh start, the correct variables are loaded. Here's our cache settings: [Cache] ; Set time to live value for Zend caches (in seconds), 0 means maximum possible. ;ttl = 0 ; This setting can be used to force caching in a specific location other than the ; default location inside the local settings directory. This directory must exist ; and be writable by the web server. ;cache_dir = "local/cache/" ; Override umask for cache directories and files. ;umask = 022 ; Permissions for Zend-created cache directories and files, subject to umask ; Default dir_permission seems to be 0700. dir_permission = 0766 ; Default file_permission seems to be 0600. file_permission = 666 Here's the details for our /usr/local/archives drwxr-Sr-- 4 www-data archives 4096 Jun 19 13:46 languages/ -rw-r--r-- 1 www-data archives 2 Jun 19 13:46 lcc-list.json drwxr-Sr-- 2 www-data archives 4096 Jun 19 13:46 objects/ drwxr-Sr-- 3 www-data archives 4096 Jun 19 13:46 searchspecs/ and here's the searchspecs directory sudo ls -alF searchspecs/zfcache-21 total 20 drwxrw-rw- 2 www-data archives 4096 Jun 19 13:46 ./ drwxr-Sr-- 3 www-data archives 4096 Jun 19 13:46 ../ -rw-rw-rw- 1 www-data www-data 9369 Jun 19 13:46 zfcache-3958bdbb87e491c0eb30f8c45e4198b6.dat The issue here is that files created when vufind is running are assigning "www-data:www-data". Similarly, when I am logged in as archives and try to run a command like php util/createHierarchy.php, the files are given the assigned archives:archives Is your solution to make the www-user part of the archives group using something like : sudo adduser www-data archives Could I then do the same thing for the other vufind users I have like cronfa and ifind? Thanks, Luke On 06/17/2013 02:15 PM, Tod Olson wrote: The problem is that your web server and your logins both need write access to local/cache. And world-writable directories are evil. I submitted some changes awhile ago to allow some ZFS cache configuration exactly for this reason. Here's what we do. At installation time, we set $VUFIND_HOME to be owned and sgid vufind, and all of our individual logins are in the vufind group: magma% pwd /usr/local/vufind magma% ls -ld drwxrwsr-x 17 tod vufind 37B Jun 14 15:34 ./ Then after unbundling, but before making any web interaction, we we chown local/cache to www, the web server user: magma% ls -ld local/cache drwxrwsr-x 6 www vufind 7B Jun 13 20:18 local/cache/ magma% ls -l local/cache total 10 drwxr-sr-x 3 www vufind 3B Jun 13 20:18 covers/ drwxrws--- 4 www vufind 4B Jun 14 15:37 languages/ drwxrws--- 3 www vufind 3B Jun 14 15:36 objects/ drwxrws--- 2 www vufind 2B Jun 14 15:36 searchspecs/ This lets the web server write the caches and such, but we can blow away the ZFS caches as needed. Just make sure your settings under the [Cache] section of config.ini specify the permissions you want. You can also see that local/cache/covers doesn't follow those settings; IIRC, they don't use ZFS caching. That's not been a problem for us yet, so I've not patched it. -Tod On Jun 17, 2013, at 5:03 AM, Osullivan L. <L.O...@sw...><mailto:L.O...@sw...> wrote: Hi Folks, What are the best permission sets to use for the local/cache directory? When attempting to re-index or generate hierarchy trees, I get error messages like: Zend\ServiceManager\Exception\ServiceNotCreatedException An exception was raised while creating "Solr"; no instance returned and 'Cache directory '/usr/local/vufind2/local/cache/searchspecs' not writable' presumably because the owner of the directory is apache. On a related note, is it possible to run multiple versions of VuFind2 on the same server? I can change the solr settings to create different solr instances but when it comes to indexing etc, as the local directory is set as an environment variable, it is the same for every instance. I suppose the solution is to use a different user for each instance? Again, if this is the case, I won't be able to use the sudo command for indexing etc so will need to sort out the permission sets. Thanks, Luke -- Luke O'Sullivan Systems Developer Web Team Swansea University, Singleton Park, Swansea SA2 8PP, UK l.o...@sw...<mailto:l.o...@sw...> 01792 602772 @l_os_cymru ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev_______________________________________________ Vufind-tech mailing list Vuf...@li...<mailto:Vuf...@li...> https://lists.sourceforge.net/lists/listinfo/vufind-tech ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Vufind-tech mailing list Vuf...@li...<mailto:Vuf...@li...> https://lists.sourceforge.net/lists/listinfo/vufind-tech -- Luke O'Sullivan Systems Developer Web Team Swansea University, Singleton Park, Swansea SA2 8PP, UK l.o...@sw...<mailto:l.o...@sw...> 01792 602772 @l_os_cymru -- Luke O'Sullivan Systems Developer Web Team Swansea University, Singleton Park, Swansea SA2 8PP, UK l.o...@sw...<mailto:l.o...@sw...> 01792 602772 @l_os_cymru -- Luke O'Sullivan Systems Developer Web Team Swansea University, Singleton Park, Swansea SA2 8PP, UK l.o...@sw...<mailto:l.o...@sw...> 01792 602772 @l_os_cymru |