Handling File ownership issues in a PHP apache application
PHP apps runs as “www-data”
- Code publish through jenkins for .net MVC solution in Ubuntu machine
- Setting up Rails project on localhost, postgresql issue
- Could Not Resolve Host github.com
- SVN Repo gives 404 not Found
- Clone remote git repository problem
- GitHub taking forever to push/pull on Ubuntu 11.04
Issue: Our Developers and Devops would like to pull the latest sources (frequently), and would like to initiate this over the web (rather than putty -> and running the git pull command).
However, since the PHP files run as “www-data” it cannot run a git pull (as the files are owned by “ubuntu”).
I am not comfortable with both alternatives:
- Running Apache server as “ubuntu”, due to obvious security issue.
- The git repository files to be “www-data”, as it makes it very inconvenient for developers logging into the server and editing the files directly.
What is the best practice for handling this situation? I am sure this must be a common issue for many setups.
Right now, we have a mechanism where the Devops triggers the git pull request from the web (where a PHP job – running as “www-data” creates a temp file). And a Cron job, running as “ubuntu”, reads the temp file trigger and then issues the “git pull” command. There is a time lag, between the trigger and the actual git pull, which is a minor irritant now. I am in the process of setting up docker containers, and have the requirement to update the repo, running on multiple containers within the same host. I wanted to use this opportunity to solve this problem, in a better way, and looking for advise regarding this.
One Solution collect form web for “Handling File ownership issues in a PHP apache application”
We use Rocketeer and groups to deploy. Rocketeer deploys with the user set to the deployment user (ubuntu in your case) and read/write permission for it, and the www-data group with read/execute permission. Then, as a last step, it modifies the permissions on the web-writable folders so that php can write to them.
Rocketeer executes over ssh, so can be triggered from anywhere, as long as it can connect to the server (public keys help). You might be able to setup your continuous integration/automated deployment to trigger a deploy automatically when a branch is updated/tests pass.
In any case, something where the files are owned by one user that can modify them and the web group can read the files should solve the main issue.
If you are planning on using docker, the simplest way would be to generate a new docker image for each build that you can distribute to your hosts. The docker build process would simply pull the latest changes on creation and never update itself. If a new version needs to be deployed, a new immutable image with the latest code is created and distributed.