Skip to main content

Drupal and file permissions challenges when using selinux


Twice now I've run into this class of problem and so I'm documenting it here for my future self and anyone else with a similar problem.

Most recently, a server I manage was generating a rather baffling error, seemlingly randomly

Warning: file_put_contents(temporary:///.htaccess) [function.file-put-contents]: failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed in file_create_htaccess() (line 498 of /[documentroot]/includes/file.inc).

Baffling because apache (and pretty much any other process on a linux server) has access to read and write to the /tmp directory, and extra baffling because the file was there, created.

It seemed to be mostly when editing, but not uniquely. After doing a stack trace, I discovered this about file management in Drupal:


  1. As a security measure, Drupal checks for an .htaccess file in all directories it writes to.
  2. That includes the temporary directory [which is good, because sometimes that directory is inside the web document root].
  3. Which means it's going to write a .htaccess file to your /tmp directory, if you use the default temporary directory setting in unix.


All that is well and good unless you're running selinux, which this server is. In this case, it's also using fcgi, which means the selinux rules are a little less standard and prone to issues.

Conclusions:


  1. When you've got confusing file permission errors, check the /var/log/audit directory. If you don't know what I'm talking about, check http://wiki.centos.org/HowTos/SELinux
  2. The key for this error was looking at the .htaccess file with the ls -Z command. The -Z option tells you about the extra selinux file settings.
  3. To fix my version of the error, i used this:


chcon -v --type=httpd_sys_content_t /tmp/.htaccess

i.e. changing the selinux "type" solved it.

Popular posts from this blog

Orchestrating Drupal + CiviCRM containers into a working site: describing the challenge

In my previous posts, I've provided my rationale for making use of Docker and the microservices model for a boutique-sized Drupal + CiviCRM hosting service. I've also described how to build and maintain images that could be used for the web server (micro) service part of such a service.

The other essential microservice for a Drupal + CiviCRM website is a database, and fortunately, that's reasonably standard. Here's a project that minimally tweaks the canonical Mariadb container by adding some small configuration bits: https://github.com/BlackflySolutions/mariadb

That leaves us now with the problem of "orchestration", i.e. how would you launch a collection of such containers that would serve a bunch of Drupal + CiviCRM sites. More interestingly, can we serve them in the real world, over time, in a way that is sustainable? i.e. handle code updates, OS updates, backups, monitoring, etc? Not to mention the various crons that need to run, and how about things like…

The Tyee: Bricolage and Drupal Integration

The Tyee is a site I've been involved with since 2006 when I wrote the first, 4.7 version of a Drupal module to integrate Drupal content into a static site that was being generated from bricolage. About a year ago, I met with Dawn Buie and Phillip Smith and we mapped out a number of ways to improve the Drupal integration on the site, including upgrading the Drupal to version 5 from 4.7. Various parts of that grand plan have been slowly incorporated into the site, but as of next week, there'll be a big leap forward that coincides with a new design [implemented in Bricolage by David Wheeler who wrote and maintains Bricolage] as well as a new Drupal release of the Bricolage integration module.PlansApplication integration is tricky, and my first time round had quite a few issues. Here's a list of the improvements in the latest version:File space separation. Before, Drupal was installed in the apache document root, which is where bricolage was publishing it's content. This …

IATS and CiviCRM

Update, Nov 2009: I've just discovered and fixed a bug I introduced in the 2.2 branch for the IATS plugin. The bug was introduced when i updated the API files from IATS and failed to notice that the legacy method for C$ one-time donations was no longer supported.
If you're using a version greater than or equal to 2.2.7, and are using IATS for C$, non-recurring donations, then you're affected.
To fix it edit the file : CRM/Core/Payment/IATS.php, and remove the line that looks like this:

$canDollar = ($params['currencyID'] == 'CAD'); //define currency type The full fix removes a conditional branch based on that value a little further on, but by removing this line, it'll never actually use that branch. Drop me a line if you have any questions.
Update, May 2009: This post is still getting quite a bit of traffic, which is great. Here are a few important things to note:
The IATS plugin code is in CiviCRM, you don't need to add any code.You do still …