Friday, June 21, 2013

Drupal and file permissions challenges when using selinux


Twice now I've run into this class of problem and so I'm documenting it here for my future self and anyone else with a similar problem.

Most recently, a server I manage was generating a rather baffling error, seemlingly randomly

Warning: file_put_contents(temporary:///.htaccess) [function.file-put-contents]: failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed in file_create_htaccess() (line 498 of /[documentroot]/includes/file.inc).

Baffling because apache (and pretty much any other process on a linux server) has access to read and write to the /tmp directory, and extra baffling because the file was there, created.

It seemed to be mostly when editing, but not uniquely. After doing a stack trace, I discovered this about file management in Drupal:


  1. As a security measure, Drupal checks for an .htaccess file in all directories it writes to.
  2. That includes the temporary directory [which is good, because sometimes that directory is inside the web document root].
  3. Which means it's going to write a .htaccess file to your /tmp directory, if you use the default temporary directory setting in unix.


All that is well and good unless you're running selinux, which this server is. In this case, it's also using fcgi, which means the selinux rules are a little less standard and prone to issues.

Conclusions:


  1. When you've got confusing file permission errors, check the /var/log/audit directory. If you don't know what I'm talking about, check http://wiki.centos.org/HowTos/SELinux
  2. The key for this error was looking at the .htaccess file with the ls -Z command. The -Z option tells you about the extra selinux file settings.
  3. To fix my version of the error, i used this:


chcon -v --type=httpd_sys_content_t /tmp/.htaccess

i.e. changing the selinux "type" solved it.