Provision ACL
This page documents the Provision ACL extension to Aegir which allows more granular access control over your sites files and directories.
1. Install instructions
First, you'll need a running Aegir install (1.0-rc3 or later), see http://community.aegirproject.org/installing. Most (if not all) of these commands will have to be run as root (or using sudo, etc.)
1.1. Download and install provision
drush dl provisionacl-6.x
1.2. Enable ACLs on your filesystem
mount -o remount,acl /
Here we assume everything is under the root (/
) filesystem here, otherwise run this command for every filesystem Aegir will work on (e.g. /srv
, /var
or /home
).
You also need to edit your /etc/fstab
for this configuration to survive reboots.
1.3. Install ACL support package
apt-get install acl
1.4. Create a UNIX group
In this case we choose a group called "devs" but you can choose another name.
groupadd devs
1.5. Add users to the group
Add one or more UNIX users that you want to give access to that group. For an existing user (socrates32), this would look like:
usermod -a -G devs socrates32
For a new user (ergonlogic), this would look like:
useradd -G devs ergonlogic
1.6. Create a client
Create a client (should be called "devs" for this example) in the frontend at /node/add/client.
1.7. Create a site
Create a site for the client in the frontend at /node/add/site.
2. What it does
When the site is installed, members of the "devs" group will be able to write to the sites' directories (e.g. upload files and modules) and run drush commands on the site (yes, including site aliases, although see caveats below).
This works also for existing sites; make sure you create a group matching the internal name of the existing client and reverify the site.
3. API - how to add ACL support to your Aegir extension
To change ACLs on files, you should use something like this:
if (function_exists('provisionacl_set_acl')) {
provisionacl_files_acls(d()->site_path . '/mysettings.php');
}
You can optionnally pass a group as an argument, but it will guess that from the client name of the site. Also note that this will raise a drush error if setfacl fails, but just set a warning if the group doesn't exist.
4. Caveats (ie. what it does not)
Giving shell access to users in Aegir is still insecure, see this upstream issue: #762138.
We aim to refactor this into the Aegir core in 2.x, but in the meantime this should provide a good workaround for the limitations of the existing permission system.
This will only work in 1.0 and above, as it needs the "client_name" field to be populated.
You will need to change your $HOME variable for aliases to work, because of this bug in drush: #1104438. Example:
env HOME=/var/aegir drush @hostmaster cc all
See also this post for context and design.
5. Debugging
If for some reason you have lost the ACLs on the directories and you need to restore them, use the following commands, which is basically what the module does:
cd sites/example.com
setfacl -R -m user:aegir:rwx .
setfacl -R -m default:user:aegir:rwx .
setfacl -R -m group:www-data:rwx .
setfacl -R -m d:group:www-data:rwx .
setfacl -R -m group:cl-group:rwx .
setfacl -R -m default:group:cl-admin:rwx .
6. Notes
This page is the reference documentation for the Provision ACL module page on Drupal.org - keep this in mind when editing please.