Table of Contents
Setting up Directory / File Permissions
glFusion creates several cache files during normal operation, as well as, several other files such as RSS feeds, log files, etc. This means glFusion needs sufficient permissions to write to these files. At the same time, leaving the permissions too loose can introduce security risks.
glFusion is executed by PHP, so the PHP process needs to be able to write to these files. The PHP process usually runs with the permissions of the webserver, so the webserver needs to be able to write to these files.
The following directory permissions must be correct (allow writing) for the respective glFusion functions to work:
|private/logs||Log files are created and written here|
|private/data||Cache files are created and written here|
|private/data/layout_cache||Cache files are created and written here|
|private/data/temp||Temporary files (plugin uploads are extracted here) are created and written here|
|private/backups||Database backup files are created here|
|private/plugins||Plugin files are copied here when uploaded through the Plugin Administration page|
|public_html/backend||RSS feed files are created and written here|
|public_html/filemgmt_data/category_snaps||FileMgmt Plugin stores category images here|
The following files are copied by the installation wizard from the respective *.dist files and given the correct permissions for the web process automatically:
Windows (using Microsoft IIS)
To make the files in the
public_html/ directory writable you need to give “Write” access to the Internet Guest Account (
IUSR_computername) or the appropriate web server group (like
IIS_WPG). This is done through the right-click context menu on folders and files choosing “Properties” and selecting the “security” tab.
Note: If you are running PHP under IIS6 with the FastCGI module FastCGI Extension for IIS 6.0 the user account that needs the permissions will most likely be “NETWORK SERVICE” rather than the Internet Guest Account
For IIS 7/7.5 this will be the application pools account. It is unclear if you can add this via the GUI. Try the following:
- Enter IIS APPPOOL\YourAppPoolName in the Select User or Groups dialog box which is accessible by clicking Add…
- If this doesn't work, consider using the “Users” group local to the machine. This will generally include the Application Pool account. However, it will include any other account added to this local group on the machine, so if that includes users who you would not normally want to have these permissions, this is a less viable option.
- If you can't find or add the account via the GUI, consider the 'icacls' command line tool: icacls c:\pathtodirectory /grant “IIS AppPool\yourAppPoolName”:(OI)(CI)F –This will grant full control with propagation to the specified directory. For more info, google ICACLS.
Add this via the GUI: http://technet.microsoft.com/en-us/library/cc771170%28v=ws.10%29.aspx
Note: Check out the web platform installer v3.0 for the necessary components and add IIS:IP and Domain Restrictions (under products)
Running Windows Server 2008, R2 Standard. IIS 7.5 this worked:
Add a user as described above with the name: COMPUTERNAME\IUSER_COMPUTERNAME and give them full control. The Full Computer Name is ComputerName.Domain.com and the Computer Name was just ComputerName without the domain. Used the Computer Name rather than the Full Computer Name.
This will apply if you install glFusion on a Linux, MacOS X or other Unix-like system. It is most probably also true for hosted web space.
Note: under Linux additional file system ACLs (FACL) may apply, confer the commands “getfacl” and “setfacl” – file permissions as described below may be meaningless if there are no rights according to FACLs.
File Permissions, a short reminder
This is not the place to explain the UNIX file permission system in detail. See Permissions Tutorial for this. Here is just a short refresher:
- Permissions for a file are dependent of the file's owner and group and the user who tries to access the file
- There are permissions for read, write and execute
- Each UNIX process runs with the permissions of an OS user and his/her groups
- The web server is a UNIX process
- PHP usually runs as part of the web server
- glFusion will run with the permissions of the PHP processor
- glFusion needs read, write and execute permissions for directories it needs to create files in
- glFusion needs read and write permissions for files it needs to write to
- glFusion needs read only permissions for files and directories it doesn't need to write to
If you are running on a shared / hosted server - you may need to contact your provider's technical support to find out the owner and group that PHP is executed.
Here are the most commonly used values for setting permissions on directories and files.
| || ||read/write for owner only. Owner must be the same as the PHP process user.|
| || ||read/write for owner and group. The PHP process user needs to be in the user group|
| || ||read/write for everyone. Dangerous everybody with access to the server may write and delete your files. Use only as last resort on trusted machines.|
Which permissions to set?
So, how should you set the permissions of the directories mentioned above? In general you should try to set the permissions as restrictive as possible, but there is no general rule which permissions you need to set for your system.
If you have root (super user rights) you can change the owner of files and directories. This means you can change the owner of the glFusion files to the web server user (e.g.
nobody) and set the permissions to webserver only access. E.g.
0600 for files and
0700 for directories.
If you are a normal user you may be a member of the web server group and can change the files to be owned by this group. Then set the files and directories to be writable by this group. E.g.
0660 for files and
0770 for directories.
If you are alone on the server or running in a completely trusted environment you can simply change the permissions to give everyone access. E.g.
0666 for files and
0777 for directories.
If you're running on a shared web server it is recommended to contact your web server administrator or hosting support and ask for help and recommendations. Point them to this page and they should know what you need to do.
Note: When you found the correct settings for your directories you should change the fmode and dmode settings to reflect these settings.
How to set permissions?
On the command line use chmod for changing permissions, chown for changing the owner of files and dirs and chgrp for changing the group. (Note that chown and chgrp may not be available or function as expected if you use a shared web hosting provider.)
When accessing your server through FTP, consult the manual of your FTP program. Most graphical FTP tools have a dialog to set permissions (often to be found in the right-click context menu).