Installation | Maintenance | Beyond Lino

File permissions

Understanding what’s needed

A Lino production site involves several processes running on a server. These processes share files on the file system, which they can read, create, delete and modify. This is why we need to care about file permissions as soon as we are on a production site with more than one site maintainer.

For example, when Lino’s lino.log file doesn’t exist, then the running process will create a new file. This process can be a maintainer who launches manually e.g. pm prep or pm dump2py, it can be the Apache web server, the linod daemon, a cron job like Configuring logrotate or make_snapshot.sh, …

The files created by any such process must be writeable by other users of the www-data group as well.

One possible cause of problems is when the setgid flag is not set on directories that should have it.

chmod g+s sets the SGID to ensure that when a new file is created in the directory it will be group-owned by the group owning the directory.

Discovering problems

  • Find files and directories that are not group-owned by www-data:

    $ find ! -group www-data

    If this produces some output, you probably want to fix it:

    $ sudo find ! -group www-data -exec chgrp www-data '{}' +

  • Show directories that don’t have the setgid flags set:

    $ find -type d ! -perm /g=s

    If this produces some output, you probably want to fix it:

    $ sudo find -type d ! -perm /g=s -exec chmod g+s '{}' +

  • Show files that are not writable for other group members:

    $ find ! -perm /g=w

    If this produces some output, you probably want to fix it:

    $ sudo find ! -perm /g=w -exec chmod g+w '{}' +

  • Show files that are not readable for other group members:

    $ find ! -perm /g=r

    If this produces some output, you probably want to fix it:

    $ sudo find ! -perm /g=r -exec chmod g+r '{}' +

  • Show directories that are not executable for other group members:

    $ find -type d ! -perm /g=x

    If this produces some output, you probably want to fix it:

    $ sudo find -type d ! -perm /g=x -exec chmod g+x '{}' +

More general diagnostics:

  • Show the permissions of all directories:

    $ find -L env/repositories -type d -exec ls -ld {} + | less

  • Find .pyc files that are not group-writable (but should):

    $ find -name '*.pyc' ! -perm /g=w

Fixing problems

  1. Every maintainer must be member of the www-data group:

    $ sudo adduser $USER www-data

    Note that adduser is a wrapper around the more low-level utility useradd. If called with two non-option arguments, it will add an existing user to an existing group. That’s what we want here.

  2. Your repositories must be group-owned by www-data:

    $ sudo chown -R $USER:www-data ~/repositories

  3. Every user, including the Apache server, must have a umask of 002 or 007 (not the default 022 or 077). See The umask command.