Resolving issues with content created by apache/php

Plesk content within a specific domain should all be owned by (domain user):psacln, however many CMSes create content via php as apache:apache, which can lead to issues. Unfortunately, there is no good, clean "fix" for this that I'm aware of (other than setting up php in suexec mode, which opens a whole new "can of worms"), however a solution that I have used to great success in the past is setting up file acls for the appropriate domain user on each domain.

E.G. If you have a domain example.com, with user exampleuser, you can do the following:
First, if acl support is not enabled on the appropriate partition, you will need to do so. You can edit the mount options in /etc/fstab to include "acl" and remount, e.g.:

/dev/hda2               /                       ext3    defaults,acl    1 1

Then set the appropriate acl's:
setfacl -m u:exampleuser:rwx -R /home/httpd/vhosts/example.com/httpdocs
setfacl -d -m u:exampleuser:rwx -R /home/httpd/vhosts/example.com/httpdocs
setfacl -m u:exampleuser:rwx -R /home/httpd/vhosts/example.com/httpsdocs
setfacl -d -m u:exampleuser:rwx -R /home/httpd/vhosts/example.com/httpsdocs

What this will do is create an acl allowing full access to example user on all files and directories in the httpdocs and httpsdocs directories for this domain AND create a default acl for this user in those directories (and subdirectories) so that any new content created within will inherit this acl. In short: exampleuser should have full access to all files within the httpdocs and httpsdocs directories, even when new files are created owned by apache:apache!

What if there are multiple domains, or you don't feel like typing out these wonderful commands? Well it's your LUCKY DAY, because I wrote a script that will set up these ACLs on every domain on a Plesk box automagickally. You may find it here or just copy/paste:

#!/bin/bash
# for each domain directory
for i in `ls /home/httpd/vhosts|grep '\.'`
do
# get the username for the directory
user=`ls -ld /home/httpd/vhosts/$i/httpdocs|awk {'print $3'}`
# set up the acls
echo "Setting file acls for $user on $i/httpdocs"
setfacl -m u:$user:rwx -R /home/httpd/vhosts/$i/httpdocs
setfacl -d -m u:$user:rwx -R /home/httpd/vhosts/$i/httpdocs
setfacl -d -m g:psacln:rx -R /home/httpd/vhosts/$i/httpdocs
echo "Setting file acls for $user on $i/httpsdocs"
setfacl -m u:$user:rwx -R /home/httpd/vhosts/$i/httpsdocs
setfacl -d -m u:$user:rwx -R /home/httpd/vhosts/$i/httpsdocs
setfacl -d -m g:psacln:rx -R /home/httpd/vhosts/$i/httpsdocs
# profit
done

Submitted by jkelly on Fri, 2006-09-01 08:10. categories [ | ] login or register to post comments