glFusion Wiki

Site Tools


glfusion:installation:permissions

Setting up Directory / File Permissions

glFusion creates several cache files during normal operation, as well as, several other files such as RSS feeds, log files, etc. This means glFusion needs sufficient permissions to write to these files. At the same time, leaving the permissions too loose can introduce security risks.

glFusion is executed by PHP, so the PHP process needs to be able to write to these files. The PHP process usually runs with the permissions of the webserver, so the webserver needs to be able to write to these files.

The following directory permissions must be correct (allow writing) for the respective glFusion functions to work:

Directory Description
private/
private/logs Log files are created and written here
private/data Cache files are created and written here
private/data/layout_cache Cache files are created and written here
private/data/temp Temporary files (plugin uploads are extracted here) are created and written here
private/backups Database backup files are created here
private/plugins Plugin files are copied here when uploaded through the Plugin Administration page
public_html/
public_html/backend RSS feed files are created and written here
public_html/filemgmt_data/category_snaps FileMgmt Plugin stores category images here
public_html/filemgmt_data/category_snaps/tmp
public_html/filemgmt_data/files
public_html/filemgmt_data/files/tmp
public_html/filemgmt_data/snaps
public_html/filemgmt_data/snaps/tmp
public_html/forum/media
public_html/forum/media/tn
public_html/images
public_html/images/articles
public_html/images/menu
public_html/images/topics
public_html/images/userphotos
public_html/images/library
public_html/images/library/File
public_html/images/library/Flash
public_html/images/library/Image
public_html/images/library/Media
public_html/mediagallery/mediaobjects/covers
public_html/mediagallery/mediaobjects/disp/*
public_html/mediagallery/mediaobjects/orig/*
public_html/mediagallery/mediobjects/tn/*

The following files are copied by the installation wizard from the respective *.dist files and given the correct permissions for the web process automatically:

  • public_html/siteconfig.php
  • private/db-config.php
  • private/system/lib-custom.php

Windows (using Microsoft IIS)

To make the files in the private/ and public_html/ directory writable you need to give “Write” access to the Internet Guest Account (IUSR_computername) or the appropriate web server group (like IIS_WPG). This is done through the right-click context menu on folders and files choosing “Properties” and selecting the “security” tab.

Note: If you are running PHP under IIS6 with the FastCGI module FastCGI Extension for IIS 6.0 the user account that needs the permissions will most likely be “NETWORK SERVICE” rather than the Internet Guest Account

For IIS 7/7.5 this will be the application pools account. It is unclear if you can add this via the GUI. Try the following:

  • Enter IIS APPPOOL\YourAppPoolName in the Select User or Groups dialog box which is accessible by clicking Add…
  • If this doesn't work, consider using the “Users” group local to the machine. This will generally include the Application Pool account. However, it will include any other account added to this local group on the machine, so if that includes users who you would not normally want to have these permissions, this is a less viable option.
  • If you can't find or add the account via the GUI, consider the 'icacls' command line tool: icacls c:\pathtodirectory /grant “IIS AppPool\yourAppPoolName”:(OI)(CI)F –This will grant full control with propagation to the specified directory. For more info, google ICACLS.

Add this via the GUI: http://technet.microsoft.com/en-us/library/cc771170%28v=ws.10%29.aspx

Note: Check out the web platform installer v3.0 for the necessary components and add IIS:IP and Domain Restrictions (under products)

Running Windows Server 2008, R2 Standard. IIS 7.5 this worked:
Add a user as described above with the name: COMPUTERNAME\IUSER_COMPUTERNAME and give them full control. The Full Computer Name is ComputerName.Domain.com and the Computer Name was just ComputerName without the domain. Used the Computer Name rather than the Full Computer Name.

Unix

This will apply if you install glFusion on a Linux, MacOS X or other Unix-like system. It is most probably also true for hosted web space.

Note: under Linux additional file system ACLs (FACL) may apply, confer the commands “getfacl” and “setfacl” – file permissions as described below may be meaningless if there are no rights according to FACLs.

File Permissions, a short reminder

This is not the place to explain the UNIX file permission system in detail. See Permissions Tutorial for this. Here is just a short refresher:

  • Permissions for a file are dependent of the file's owner and group and the user who tries to access the file
  • There are permissions for read, write and execute
  • Each UNIX process runs with the permissions of an OS user and his/her groups
  • The web server is a UNIX process
  • PHP usually runs as part of the web server
  • glFusion will run with the permissions of the PHP processor
  • glFusion needs read, write and execute permissions for directories it needs to create files in
  • glFusion needs read and write permissions for files it needs to write to
  • glFusion needs read only permissions for files and directories it doesn't need to write to

If you are running on a shared / hosted server - you may need to contact your provider's technical support to find out the owner and group that PHP is executed.

Common Permissions

Here are the most commonly used values for setting permissions on directories and files.

directories files result
0700 0600 read/write for owner only. Owner must be the same as the PHP process user.
0770 0660 read/write for owner and group. The PHP process user needs to be in the user group
0777 0666 read/write for everyone. Dangerous everybody with access to the server may write and delete your files. Use only as last resort on trusted machines.

Which permissions to set?

So, how should you set the permissions of the directories mentioned above? In general you should try to set the permissions as restrictive as possible, but there is no general rule which permissions you need to set for your system.

If you have root (super user rights) you can change the owner of files and directories. This means you can change the owner of the glFusion files to the web server user (e.g. www-data or nobody) and set the permissions to webserver only access. E.g. 0600 for files and 0700 for directories.

If you are a normal user you may be a member of the web server group and can change the files to be owned by this group. Then set the files and directories to be writable by this group. E.g. 0660 for files and 0770 for directories.

If you are alone on the server or running in a completely trusted environment you can simply change the permissions to give everyone access. E.g. 0666 for files and 0777 for directories.

If you're running on a shared web server it is recommended to contact your web server administrator or hosting support and ask for help and recommendations. Point them to this page and they should know what you need to do.

Note: When you found the correct settings for your directories you should change the fmode and dmode settings to reflect these settings.

How to set permissions?

On the command line use chmod for changing permissions, chown for changing the owner of files and dirs and chgrp for changing the group. (Note that chown and chgrp may not be available or function as expected if you use a shared web hosting provider.)

When accessing your server through FTP, consult the manual of your FTP program. Most graphical FTP tools have a dialog to set permissions (often to be found in the right-click context menu).

Permissions are the top support issue. Always check your permissions first if you run into installation problems.
glfusion/installation/permissions.txt · Last modified: 2017/04/12 21:11 (external edit)

Page Tools