Symfony2 file permissions in Ubuntu

The installation section of The Book has a section on setting up permissions. This walks through the process of setting up the cache and log directories so that both you and your webserver may modify their contents.

It says to first try and use chmod because that is, it claims, how most systems controls their ACLs. This is only true for Mac OSX however. For Linux we use setfacl instead.

Install and enable ACL

First you need to install ACL, preferrably through your package manager; apt-get on Ubuntu, pacman on Arch, yum on Fedora, etc:

$ sudo apt-get install acl

Then you edit your /etc/fstab to enable ACL for your partition. Simply add acl to the list of options.

/dev/sda1 / ext4 rw,auto,acl 0 1

Then lastly remount the partition to have the new options take effect.

$ sudo mount -o remount /

Linux file permissions

With ACL enabled for your partition, we can now solve our problem using three ingenious Linux tricks.

First we change the ownership of our directories, so that they are owned by our www-data group.

$ sudo chown -R :www-data app/cache app/logs

Then we set a sticky guid on them. This ensures that new files and directories are automatically owned by the same group as their parent.

$ sudo chmod g+s app/cache app/logs

Per default new files and directories are not writable by their group owner and so the last piece of our puzzle is to use the previously enabled ACL to change that.

$ sudo setfacl -dR -m g::rwX app/cache app/logs

Encrypted home directory

When I installed Ubuntu I opted in to use the “encrypt home directory” feature. This makes use of eCryptFS and it turns out this file system lacks support for ACL.

So what is a tin foil, Ubuntuist, Symfonian hatter to do?

The solution I used was to set up a /symfony/project-name directory, in which I created a cache and a log directory. Then I symlinked these to the project in my home directory.

$ ln -s /symfony/nogfx/cache /home/tobias/projects/nogfx/app/cache
$ ln -s /symfony/nogfx/log /home/tobias/projects/nogfx/app/log

Because they actually exist in my root partition I can easily enable ACL for them, while reaping the benefits of using Symfony CLI on my encrypted home!

Published