Skip to main content

Drupal and file permissions challenges when using selinux


Twice now I've run into this class of problem and so I'm documenting it here for my future self and anyone else with a similar problem.

Most recently, a server I manage was generating a rather baffling error, seemlingly randomly

Warning: file_put_contents(temporary:///.htaccess) [function.file-put-contents]: failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed in file_create_htaccess() (line 498 of /[documentroot]/includes/file.inc).

Baffling because apache (and pretty much any other process on a linux server) has access to read and write to the /tmp directory, and extra baffling because the file was there, created.

It seemed to be mostly when editing, but not uniquely. After doing a stack trace, I discovered this about file management in Drupal:


  1. As a security measure, Drupal checks for an .htaccess file in all directories it writes to.
  2. That includes the temporary directory [which is good, because sometimes that directory is inside the web document root].
  3. Which means it's going to write a .htaccess file to your /tmp directory, if you use the default temporary directory setting in unix.


All that is well and good unless you're running selinux, which this server is. In this case, it's also using fcgi, which means the selinux rules are a little less standard and prone to issues.

Conclusions:


  1. When you've got confusing file permission errors, check the /var/log/audit directory. If you don't know what I'm talking about, check http://wiki.centos.org/HowTos/SELinux
  2. The key for this error was looking at the .htaccess file with the ls -Z command. The -Z option tells you about the extra selinux file settings.
  3. To fix my version of the error, i used this:


chcon -v --type=httpd_sys_content_t /tmp/.htaccess

i.e. changing the selinux "type" solved it.

Popular posts from this blog

Orchestrating Drupal + CiviCRM containers into a working site: describing the challenge

In my previous posts, I've provided my rationale for making use of Docker and the microservices model for a boutique-sized Drupal + CiviCRM hosting service. I've also described how to build and maintain images that could be used for the web server (micro) service part of such a service.

The other essential microservice for a Drupal + CiviCRM website is a database, and fortunately, that's reasonably standard. Here's a project that minimally tweaks the canonical Mariadb container by adding some small configuration bits: https://github.com/BlackflySolutions/mariadb

That leaves us now with the problem of "orchestration", i.e. how would you launch a collection of such containers that would serve a bunch of Drupal + CiviCRM sites. More interestingly, can we serve them in the real world, over time, in a way that is sustainable? i.e. handle code updates, OS updates, backups, monitoring, etc? Not to mention the various crons that need to run, and how about things like…

Building and maintaining Drupal + CiviCRM application containers

In my previous two posts, I provided some background into why I decided on using containers for a boutique Drupal + CiviCRM hosting platform, and why Docker and its micro-services approach is a good choice for building and maintaining containers.

Although I promised to talk about orchestration, that was getting ahead of the story - first I'm going to look at the challenge of keeping your application containers up-to-date with OS and application-level updates. There's a fair amount of work in that, but the tooling is mature and there is lots of good documentation.

A great place to start is to visit the official Drupal docker hub page. From there, you can pull a working Drupal code container, and it gets re-built frequently with all the OS and Drupal-code updates, so you just refresh your containers whenever you want (i.e. whenever a security release comes out, or more often to stay up-to-date).

A nice thing about that project is that it demonstrates a technique for maintaining …

The Tyee: Bricolage and Drupal Integration

The Tyee is a site I've been involved with since 2006 when I wrote the first, 4.7 version of a Drupal module to integrate Drupal content into a static site that was being generated from bricolage. About a year ago, I met with Dawn Buie and Phillip Smith and we mapped out a number of ways to improve the Drupal integration on the site, including upgrading the Drupal to version 5 from 4.7. Various parts of that grand plan have been slowly incorporated into the site, but as of next week, there'll be a big leap forward that coincides with a new design [implemented in Bricolage by David Wheeler who wrote and maintains Bricolage] as well as a new Drupal release of the Bricolage integration module.PlansApplication integration is tricky, and my first time round had quite a few issues. Here's a list of the improvements in the latest version:File space separation. Before, Drupal was installed in the apache document root, which is where bricolage was publishing it's content. This …