I have deployed a project using Capifony and getting an error upon a folder creation. The following code is inside a service. Could be inside a controller, too, doesn't matter.
$dir = $kernelDir . '/../web/newfolder/';// kerneldir is %kernel.root_dir%
$fs=new Filesystem();
$fs->mkdir($dir);
This will try to create a new folder inside web, but will fail.
The problem is the permissions for the web folder:
drwxrwxr-x 11 deploy deploy 4096 Feb 15 14:52 web
deploy is the user that did the deployment on the web server. The web server's user is the default one www-data, but isn't there a problem if I set www-data as the owner of the web directory? That means that everyone can modify everything in web.
I have also tried to create a folder in web/uploads folder and that fails, too.
How can I have www-data create a folder in a folder it doesn't have access to without damaging the security? Do I need to add one of the users to a new group or something? Do I need to modify my deploy file? Do I need to use www-data as the deploy user, instead? What is the way to solve this problem?
Here is also my Capifony file if it helps (I've replaced the domain with a string. The deployment works):
set :application, "test"
set :domain, "domain"
set :deploy_to, "/var/www/html/"
set :app_path, "app"
set :repository, "file:///var/www/testproj"
set :scm, :git
set :branch, "master"
set :ssh_options, {
forward_agent: true,
paranoid: true,
keys: "~/.ssh/id_rsa"
}
set :deploy_via, :rsync_with_remote_cache
default_run_options[:pty] = true
set :user, "deploy"
set :model_manager, "doctrine"
role :web, domain # Your HTTP server, Apache/etc
role :app, domain, :primary => true # This may be the same as your `Web` server
set :keep_releases, 3
set :use_sudo, false
set :clear_controllers, false
set :shared_files, ["app/config/parameters.yml"]
set :shared_children, [app_path + "/logs", web_path + "/uploads", "vendor"]
set :writable_dirs, ["app/cache", "app/logs"]
set :webserver_user, "www-data"
set :permission_method, :acl
set :use_set_permissions, true
# Be more verbose by uncommenting the following line
logger.level = Logger::MAX_LEVEL
set :assets_install, true
set :dump_assetic_assets, true
set :use_composer, true
set :composer_options, "--dev --verbose --prefer-dist --optimize-autoloader --no-progress"
I was thinking something like:
set :shared_children, [app_path + "/logs", web_path + "/uploads", "vendor",web_path + "/newfolder"]
set :writable_dirs, ["app/cache", "app/logs", web_path + "/newfolder", web_path + "/medics"]
And this will result in
drwxrwxrwx+ 4 deploy deploy 4096 Feb 15 15:36 cache
lrwxrwxrwx 1 deploy deploy 36 Feb 15 15:35 logs -> /var/www/html/testproj/shared/app/logs
lrwxrwxrwx 1 deploy deploy 38 Feb 15 15:35 newfolder-> /var/www/html/testproj/shared/web/newfolder
lrwxrwxrwx 1 deploy deploy 39 Feb 15 15:35 uploads -> /var/www/html/testproj/shared/web/uploads
Is it ok if Capifony gives these permissions to these folders?
Create a directory under which you will create directories runtime, e.g.
app/mydirs, and add it to the vcs history.Add the directory to your deployment config:
Change your code to use this directory:
Explanation what it does "automatically":
Uses setfacl to set permissions. It does not change ownership of directories.
The permissions are being applied at deployment time, and affect only directories that already exist.
Security concerns about writable public directories:
Files uploaded by users should never be trusted. Uploading files to public directory unlock many possible vulnerabilities, and must be done with great care. In case of uploaded avatars, it can be resolved by processing images with GD or imagick before writing them down to the public directory.