Updating Apache-user owned files


I’ve got a Kirby 4 plainkit installation running on a Lightsail LAMP (PHP 8) instance. Previously my homepage was working, but the panel was not, which I solved by setting the apache user (daemon:daemon in bitnami’s installation) as the owner of my htdocs directory and its contents. This was fine until I needed to overwrite a CSS file via SFTP and was unable to do so because of the bitnami user’s now-revoked ownership of Kirby’s files. Permissions for all directories and files are the default 755/644.

My question is this: if the apache user has to retain ownership of Kirby’s files for the panel and other features to function correctly, how can I update files as the bitnami user? I don’t want to set permissions to 777 on a public server for obvious security reasons, so the only thing I can think of is to delete each individual file via SSH with sudo, then use SFTP to upload an updated version of each file and change the ownership. This is fine for minor tweaks, but major site updates will become quite cumbersome. Even though it would be simpler, I also don’t want to wipe the entire installation and reupload every time I need to change one file, as this defeats the entire purpose of the CMS.

Any help would be much appreciated! :slightly_smiling_face:

Is the bitnami user member of the daemon group? If yes, you will only need to change group permission +write, to solve 80% of your problem. The remaining 20% affects files and dirs which will be created by the bitnami user using SFTP, because these will have user:group set to bitnami:WHATEVER and permissions usually to 755/644, depending on the value of umask. There are solutions to this of course but they require more configuration.

The root cause of your problem is that you have 2 server processes (apache and sftp) probably running with different user:group settings and both are writing to the same file system. In general, it is recommended to not have 2 different processes writing to the same filesystem, especially when dealing with a CMS, but, well, sometimes it is like it is. Fortunately there are multiple solutions:

  • You could configure your server processes that they are using the same user:group (which will might cause other problems, i.e if both are writing to the same file at the same time).

  • Many FTP servers can be configured to write files with the user:group settings of the logged in user (not the user:group of the server itself). Then, it is just a matter of using the right user for logging in via FTP.

  • You could add the apache user into the group of the bitnami user and vice versa, or, creating an own group like “cms” and adding both users into these group. Files and dirs must belong to this group with group write permissions. In addition to this you will need to set the setgid bit at the htdocs directory (and all other directories which already exists below). This will cause new created files and dirs belong to this group instead of the primary group of the user, who writes to this directory. If your umask is set to 022, you will need to change this to 002 as well, making group write permissions the default.