Skip to main content

Drupal and file permissions challenges when using selinux


Twice now I've run into this class of problem and so I'm documenting it here for my future self and anyone else with a similar problem.

Most recently, a server I manage was generating a rather baffling error, seemlingly randomly

Warning: file_put_contents(temporary:///.htaccess) [function.file-put-contents]: failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed in file_create_htaccess() (line 498 of /[documentroot]/includes/file.inc).

Baffling because apache (and pretty much any other process on a linux server) has access to read and write to the /tmp directory, and extra baffling because the file was there, created.

It seemed to be mostly when editing, but not uniquely. After doing a stack trace, I discovered this about file management in Drupal:


  1. As a security measure, Drupal checks for an .htaccess file in all directories it writes to.
  2. That includes the temporary directory [which is good, because sometimes that directory is inside the web document root].
  3. Which means it's going to write a .htaccess file to your /tmp directory, if you use the default temporary directory setting in unix.


All that is well and good unless you're running selinux, which this server is. In this case, it's also using fcgi, which means the selinux rules are a little less standard and prone to issues.

Conclusions:


  1. When you've got confusing file permission errors, check the /var/log/audit directory. If you don't know what I'm talking about, check http://wiki.centos.org/HowTos/SELinux
  2. The key for this error was looking at the .htaccess file with the ls -Z command. The -Z option tells you about the extra selinux file settings.
  3. To fix my version of the error, i used this:


chcon -v --type=httpd_sys_content_t /tmp/.htaccess

i.e. changing the selinux "type" solved it.

Popular posts from this blog

Confused by online payment processing? You're not alone.

In the old days during "polite" conversation, it was considered rude to talk about sex, politics, religion and money. You might think we're done with taboos, we're not (and I'll leave Steven Pinker to make the general argument about that, as he does so well in The Better Angels of Our Nature).

The taboo I'm wrestling with is about money - not how much you make, but about online payment processing, how it works, and what it costs. In this case, I think the taboo exists mainly because of the stakes at hand (i.e. lots of money) and the fact that most of those who are involved don't get much out of explaining how it really works - i.e. the more nuanced communications are overwhelmed by sales-driven messaging, and the nuanced stuff is either proprietary secrets or likely to get slapped down by the sales department.

In other words, if you want to really understand about online payment processing because you want to decide between one system and another, you'…

Me and varnish win against a DDOS attack.

This past month one of my servers experienced her first DDOS - a distributed denial of service attack. A denial of service attack (or DOS) just means an attempt to shut down an internet-based service by overwhelming it with requests. A simple DOS attack is usually relatively easy to deal with using the standard linux firewall called iptables.  The way iptables works is by filtering the traffic based on the incoming request source (i.e., the IP of the attacking machine). The attacking machine's IP can be added into your custom ip tables 'blacklist' to block all traffic from it, and it's quite scalable so the only thing that can be overwhelmed is your actual internet connection, which is hard to do.

The reason a distributed DOS is harder is because the attack is distributed from multiple machines. I first noticed an increase in my traffic about a day after it had started - it wasn't slowing down my machine, but it did show up as a spike in traffic. I quickly saw that…

drupal, engagement, mailing lists, email

I lived, worked and studied in Costa Rica from 1984 to 1989. Ostensibly, I was there to study Mathematics at the University, and indeed I graduated with an MSc. in Mathematics supervised by Ricardo Estrada (check that page, he even advertises me as one of his past students). And yes, I do have a nine page thesis that I wrote and defended in Spanish somewhere in my files, on a proof and extension of one of Ramanujan's theories. But mathematics is a pretty lonely endeavour, and what drew me back to Central America (after the first visit, which was more of an accident), was the life and politics. The time I lived there was extremely interesting (for me as an outsider, though also painful and tragic for it's inhabitants) because of the various wars that were largely fuelled by US regional hegemonic interests (of the usual corporate suspects and individuals) and neglect (of the politicians and public) - the Contra war in Nicaragua, the full-scale guerrilla wars in El Salvador and …