Provision ACL

This page documents the Provision ACL extension to Aegir which allows more granular access control over your sites files and directories.

1. Install instructions

First, you'll need a running Aegir install (1.0-rc3 or later), see http://community.aegirproject.org/installing. Most (if not all) of these commands will have to be run as root (or using sudo, etc.)

1.1. Download and install provision

drush dl provisionacl-6.x

1.2. Enable ACLs on your filesystem

mount -o remount,acl /

Here we assume everything is under the root (/) filesystem here, otherwise run this command for every filesystem Aegir will work on (e.g. /srv, /var or /home).

You also need to edit your /etc/fstab for this configuration to survive reboots.

1.3. Install ACL support package

apt-get install acl

1.4. Create a UNIX group

In this case we choose a group called "devs" but you can choose another name.

groupadd devs

1.5. Add users to the group

Add one or more UNIX users that you want to give access to that group. For an existing user (socrates32), this would look like:

usermod -a -G devs socrates32

For a new user (ergonlogic), this would look like:

useradd -G devs ergonlogic

1.6. Create a client

Create a client (should be called "devs" for this example) in the frontend at /node/add/client.

1.7. Create a site

Create a site for the client in the frontend at /node/add/site.

2. What it does

When the site is installed, members of the "devs" group will be able to write to the sites' directories (e.g. upload files and modules) and run drush commands on the site (yes, including site aliases, although see caveats below).

This works also for existing sites; make sure you create a group matching the internal name of the existing client and reverify the site.

3. LDAP integration

Provisionacl supports LDAP groups as well. Ensure that an LDAP client is running and that the 'aegir' user can see the LDAP-provided groups:

getent groups

You may need to restart the Name Service Cache Daemon (nscd):

/etc/init.d/nscd restart

4. API - how to add ACL support to your Aegir extension

To change ACLs on files, you should use something like this:

if (function_exists('provisionacl_set_acl')) {
    provisionacl_files_acls(d()->site_path . '/mysettings.php');
}

You can optionnally pass a group as an argument, but it will guess that from the client name of the site. Also note that this will raise a drush error if setfacl fails, but just set a warning if the group doesn't exist.

5. Caveats (ie. what it does not)

Giving shell access to users in Aegir is still insecure, see this upstream issue: #762138.

We aim to refactor this into the Aegir core in 2.x, but in the meantime this should provide a good workaround for the limitations of the existing permission system.

This will only work in 1.0 and above, as it needs the "client_name" field to be populated.

You will need to change your $HOME variable for aliases to work, because of this bug in drush: #1104438. Example:

env HOME=/var/aegir drush @hostmaster cc all

See also this post for context and design.

6. Debugging

If for some reason you have lost the ACLs on the directories and you need to restore them, use the following commands, which is basically what the module does:

cd sites/example.com
setfacl -R -m user:aegir:rwx .
setfacl -R -m default:user:aegir:rwx .
setfacl -R -m group:www-data:rwx .
setfacl -R -m d:group:www-data:rwx .
setfacl -R -m group:cl-group:rwx .
setfacl -R -m default:group:cl-admin:rwx .

7. Notes

This page is the reference documentation for the Provision ACL module page on Drupal.org - keep this in mind when editing please.