/ symfony

Symfony 2, Ubuntu and ACL

Here is another "keep this in memory" memento. I encountered some noobs issues when first deploying a symphony app to a production server. It was file permissions problem on Ubuntu. Here is how I fixed this.

The first thing to do is to get ACL

First you need to install the ACL package, preferrably through your package manager; apt-get on Ubuntu. To do so, simply type the following command in a terminal:

$ sudo apt-get install acl

Then you'll need to activate ACL on the mounted disk. You would have to edit the etc/fstab file with:

$ sudo nano /etc/fstab

Find the line in the file that corresponds to the mounted disk on which your files are stored. Most of the time it is the / one. Here is what the fstab looks like:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
# / was on /dev/sda2 during installation
UUID=b81dcc05-dbcd-4672-b0b3-00b584664050 /               ext4    errors=remount-ro,acl 0       1
# /boot was on /dev/sda1 during installation
UUID=e3afd08c-78ed-4484-bebb-d2879a4f592e /boot           ext4    defaults        0       2
# swap was on /dev/sda3 during installation
UUID=d26a3e9a-3d03-45b9-ba37-b374bff1fda1 none            swap    sw              0       0

You'll have to add the acl option to tha mounted disk, as visible on the example.

Then, remount the partition to have the new options take effect, and you're done.

$ sudo mount -o remount /

Modify the Ubuntu file permissions for your folders

With ACL enabled for your partition, we can now solve our problem using three ingenious Linux tricks.

First we change the ownership of our directories, so that they are owned by our www-data group.

$ sudo chown -R :www-data app/cache app/logs

Then we set a sticky guid on them. This ensures that new files and directories are automatically owned by the same group as their parent.

$ sudo chmod g+s app/cache app/logs

Per default new files and directories are not writable by their group owner and so the last piece of our puzzle is to use the previously enabled ACL to change that.

$ sudo setfacl -dR -m g::rwX app/cache app/logs

Final script for from scratch deployment

Here is the final script, depending on the folders you have. You should at least have app/cache and app/logs folders:

#!/bin/sh
FOLDERS = app/cache app/logs web/uploads web/cache
sudo chown -R :www-data $FOLDERS
sudo chmod g+s $FOLDERS
sudo setfacl -dR -m g::rwX $FOLDERS

Feel free to add or delete pathes in the FOLDER variable according to your needs.