I have a Dokuwiki installation locally, which I regularly sync to my server with rsync. I'm also going to give a friend of mine an ssh account, and host his public Dokuwiki installation. However, I'm having a problem with access permissions – even though the mirror is read-only, Dokuwiki still needs write-permissions to the data directory for cache etc. The Apache server runs as user www-data, and every time I do a rsync, it resets permissions.
Based on some other answers on this site, I tried using setfacl to set default permissions, but it doesn't seem to work – getfacl indicates that the permissions exist, but Dokuwiki won't run, and when I try to write a file as user www-data, it also doesn't work. What am I missing?
wiki/data$ sudo su www-data
$ pwd
/var/www/wiki/data
$ whoami
www-data
$ touch hi
touch: cannot touch `hi': Permission denied
$ getfacl /var/www/wiki/data
getfacl: Removing leading '/' from absolute path names
# file: var/www/wiki/data
# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
Here's the command I used to set the permissions:
setfacl -R -d -m u:www-data:7 /var/www/*
Best Answer
Issue #1: Rsync is dropping ACLs
After applying the ACL permissions you need to take care that when you perform your
rsync
that you're using either the-A
or--acls
switch. This instructsrsync
to make sure to preserve these when doing the sync.excerpt from rsync man page
Issue #2: No ACL permissions
In looking at your example it does contain permissions as follows.
traditional perms
ACLs
But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user
www-data
in addition to the default ACL perms.Example
An experiment
Now let's try and write a file to the
data
directory as usergopher
.Look familiar?
Adding additional ACL permissions
It's because you need to add a ACL for the user
www-data
, the default rules aren't for access, they're for creating new files/directories.Now check the
data
directory again:The only difference we now have a ACL saying that user
gopher
hasrwx
access:Repeat the experiment
Try writing a data to the directory again:
It worked!!! Double check the resulting file: