Last modified: 2014-09-26 17:12:53 UTC
Web uploads create files and directories in /srv/images with owner www-data:www-data; job queue uploads do it with vagrant:vagrant. This results in all kinds of errors when using the GWToolset role.
This could be handled by creating a group that contains both the www-data and vagrant users, chowning everything under /srv/images to that group, setting everything g+w, setting setgid for all directories, and set a permissive umask. (Not sure how to do the last part, [[mw:Manual:$wgDirectoryMode]] defaults to 777, and vagrant does use that, but www-data does not. Maybe just calling umask() somewhere in the config would do the trick.)
(In reply to Tisza Gergő from comment #0) > job queue uploads do it with vagrant:vagrant What's causing the job queue to run as the vagrant user? Is there a cron somewhere that just needs to have it's user setting adjusted?
Now that you say it, that might have been me when I was trying to debug a failing job. Does vagrant even process the job queue? I can't find anything to that effect. So basically the solution is to make sure I sudo -u www-data every time I run a PHP script that creates files? That does not feel developer-friendly.
Indeed, I ran the script with the wrong permissions, so the bug in its original form is invalid. I still think there should be some sort of warning or workaround so that running a script from the command line does not mess up the permissions, but I have no idea how that could be done (unless we mess around with ACLs).
i wonder if this whole thing could be simplified by running web as the vagrant user? Its insecure, but as a development machine I'm ok with that.
This is not a unique problem for the MediaWiki-Vagrant environment. On the production cluster we use a wrapper script (mwscript) in part to ensure that scripts end up being run as the same user as Apache. I think it would be great to provide an equivalent to `mwscript` and document that it should be used. Alternately we could alias php to 'sudo -u www-data -n -- php "$@"' in the .bashrc for the 'vagrant' user.
Since https://gerrit.wikimedia.org/r/#/c/149872/ the wmscript wrapper is needed to run maintence scripts and it forces `sudo -u www-data`. It is still possible to mess up file permissions, but it should be much less likely to occur now.