conflicting ftp guid user and www-data group permissions

[steve_adams]

I have a froxlor installation on an existing server that's causing isses with display of the site through apache. After I installed froxlor on the existing site and migrated the existing apache document root to the first customer guid user and group ownership (chown -R 10000.10000 /web/root ) from the default www-data user and group ownership, the web site displays a 403 forbidden error.

 

If files are FTP'd up for changes they are owned by the guid group and not the www-data group, which perpetuates the 403 forbidden errors. However, the second customer's files and web root (guid 10001) display just fine via apache.

 

I'm assuming somehow the first customer did not get associated with the www-data group? How to correct this?

[d00p]

I don't really understand what you did...sorry. Please give more detailed explanations and name your directories and especially your setup (services, php-interface, etc.)

[steve_adams]

I installed Froxlor on top of an existing Drupal web site on Ubuntu 12.04 using PHP 5.3 and Apache2. I configured a customer and a domain with the web root for the Drupal site set to /home/customer. Once I replaced the default apache site with the the Froxlor apache config files I then changed the user.group for entire the web root from Ubuntu's www-data.www-data to the customer's guid 10000.10000. This broke the apache config so that the entire site yeilds "forbidden" 403 apache errors.

 

The issue appears to be an issue with the guid 10000 not having group permissions with the www-data group. I can verify this because I have since chown'ed the entire web root to user 10000 and group www-data (10000.www-data) and the 'forbidden, 403' errors disapear.

 

It would not be an issue if it weren't for FTP, because the pro-ftpd configuration writes files to the server as the 10000 guid user.group and that breaks the site!

So, I guess I either need to change the FTP user to write to the www-data group OR correct the guid to be a member of the www-data group.

 

Confusing, I know!

[d00p]

1) did you specify the customers-webroot to be /home/ ?

2) what php-interface are you using? mod_php4, fcgid or php-fpm?

3) what is the "entire web root"? you mean /var/www/ ? I thought the website is in /home/customer?

[steve_adams]

1) customer web root is /home/customer-name/

 

2) output of apachectl -t -D DUMP_MODULES
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 include_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 ruby_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 suphp_module (shared)
 

3) I mean, I have 2 customers...both of their web document roots are in /home...so /home/customerone and /home/customertwo. First one is recursively chown 10000.10000 so that 'the entire web root' below and all the files and subfolders are owned by the guid that yeilds 403 errors. The other customer is recursively chown 10001.10001 in a simiar fashion and works fine in the browser

[d00p]

1) i didn't mean a specific customer's docroot but the directory you specified to be the customers-ROOT-directory (default is /var/customers/webs). You need to tell froxlor the directories.

2) that doesnt help much. Just say if you enabled FCGID or PHP-FPM in Froxlor

3) wait, now the problem is only with ONE customer?

 

please, be MORE SPECIFIC...it's just a back and forth now

[steve_adams]

1) yes, I specified /home/ as the customer's web root in system settings

2) neither fcgid nor php-fpm are activated

3) yes, the problem is only with one customer...the original and only customer on the active server when I installed froxlor on top of the control panel-less server. I added the other customer after installing froxlor. I did this by renaming the customers' /home/customer web root to /home/temp, creating the customer in the froxlorbackend, removing the /home/customerone created by froxlor, renaming /home/temp to /home/customerone, chown -R 10000.10000 /home/customerone.

 

Previously this /home/customerone was chown -R www-data.www-data. When I restore those permissions the site functions correctly...but editing any of the files or making changes via ProFTPD causes the edited or new files to inherit 10000.10000 ownership and deliver 403 errors in apache. I currently have that /home/customerone directory recursively owned by 10000.www-data and it functions as expected...so it would appear it's only the group guid I'm having issues with.

 

Specific enough?

[d00p]

So, why dont you just check what permissions customer-two has and do the same for customer-one?!

[steve_adams]

I have done that...and that's what breaks the site!

[d00p]

Well sorry then. Something else must be wrong there - froxlor is not the problem

[steve_adams]

FYI, I have resolved the issue with the following actions:

 

1) re-chown-ed the customer's domain web root recurseively with the guid (chown -R 10000.10000 /home/customer)

2) edited internal web root file and folder permissions (find /home/customer/ -type d -exec chmod 755 {} \; and find /home/customer/ -type f -exec chmod 644 {} \

3) edited the apache directory opions in the httpd.conf to allow the rewite conditions per Drupal's requirements as follows:

<Directory /home/customer/>
   RewriteEngine on
   RewriteBase /
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
#  Options FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
</Directory>