Trace: » Permissions Required by GLPI on Linux

Permissions Required by GLPI on Linux

During the configuration process, GLPI will let you know when permissions are unusable for some folders. But what are the right permissions? What is the best way to configure permissions for these folders?

Understanding Generalized Linux Permissions

Linux typically uses a format of 3 groups of 3 characteristics. The three groups are, in order, Owner Group Others. You'll see this expressed as a series of dashes, r's, w's and x's. Dash for denied, r for read, w for write, and x for executable. For example, rwxr-xr-x is a pretty typical permission (represented by 755). It states that owner has full access to read, write or execute on that directory or file. The Group has read and execute, and the others have read and execute as well.

To shorthand this, the three values are represented as binary numbers. rwx is 111, r-x is 101 and r– is 100. Then, you translate that to a base 8 (octal digit) numbering system, and 111 becomes 7, 101 becomes 5 and 100 becomes 4. To make it simpler, you could search for linux permissions on Google and there'll be tables nearby which detail what each octal digit means (http://www.zzee.com/solutions/linux-permissions.shtml).

Folders to set permissions on

There are primarily two directories you'll need to give GLPI Write access to during configuration. These two directories are /files and /config.

Consider though that GLPI is not actually a user, and you don't want to just set 777. Setting rwxrwxrwx (same as 777 for those paying attention) would give anyone and everyone (including anonymous users) access to read write and execute the file. The actual user that GLPI runs as is httpd's user account. On my installation, and on most, that user will be apache.

Using the console to set permissions

So, before beginning configuration, perhaps you should set those permissions so you can just fly through it. For the /files directory, type chmod 755 files. Keeping in mind that the files directory should be in your currently active directory. Next, type chown apache files.

For the config directory, do the same thing for now. Type chmod 755 config and then chown apache config.

Writer's note: Initially, I don't think these need to be done recursively.

Post Install Permissions Change

At the bottom of this page, http://www.glpi-project.org/spip.php?article61, you'll see that the author recommends you change the config-db.php file permissions to be much more restrictive.

“For security reasons you must to set the read right to config/config_db.php only to the web service user. Example : chmod 400 config/config_db.php”

If I interpret this correctly, I think this implies that you should change the ownership of the config_db.php file as well. Type chmod 400 config/config_db.php and then chown apache config/config_db.php .

There, instead of opening up your permissions all the way during install (777, cough), you just opened it up enough for GLPI to do what it needs to do. And besides the config_db.php file, there isn't really any other need to edit permissions or go back try to start restricting all the files and directories.