Right Access
Test environment
When we just want to test wallabag, we just run the command make run
to start our wallabag instance and everything will go smoothly because
the user who started the project can access the current folder
naturally, without any problem.
Production environment
As soon as we use Apache or Nginx to access our wallabag instance,
and not the command make run
to start it, we should take care to
grant the correct rights on the correct folders to keep all the folders
of the project safe.
To do so, the folder name, known as DocumentRoot
(for Apache) or
root
(for Nginx), has to be absolutely accessible by the Apache/Nginx
user. Its name is generally www-data
, apache
, or nobody
(depending
on the Linux system used).
So the folder /var/www/wallabag/web
has to be accessible by this last
one. But this may not be enough if we just care about this folder,
because we could meet a blank page or get an error 500 when trying to
access the homepage of the project.
This is due to the fact that we will need to grant the same rights
access on the folder /var/www/wallabag/var
like those we gave on the
folder /var/www/wallabag/web
. Thus, we fix this problem with the
following command:
chown -R www-data:www-data /var/www/wallabag/var
It has to be the same for the following folders
- /var/www/wallabag/bin/
- /var/www/wallabag/app/config/
- /var/www/wallabag/vendor/
- /var/www/wallabag/data/
- /var/www/wallabag/web/
by entering
chown -R www-data:www-data /var/www/wallabag/bin
chown -R www-data:www-data /var/www/wallabag/app/config
chown -R www-data:www-data /var/www/wallabag/vendor
chown -R www-data:www-data /var/www/wallabag/data/
chown -R www-data:www-data /var/www/wallabag/web/
otherwise, sooner or later you will see these error messages:
Unable to write to the "bin" directory.
file_put_contents(app/config/parameters.yml): failed to open stream: Permission denied
file_put_contents(/.../wallabag/vendor/autoload.php): failed to open stream: Permission denied
Additional rules for SELinux
If SELinux is enabled on your system, you will need to configure additional contexts in order for wallabag to function properly. To check if SELinux is enabled, simply enter the following:
getenforce
This will return Enforcing
if SELinux is enabled. Creating a new
context involves the following syntax:
semanage fcontext -a -t <context type> <full path>
For example:
semanage fcontext -a -t httpd_sys_content_t "/var/www/wallabag(/.*)?"
This will recursively apply the httpd_sys_content_t context to the wallabag directory and all underlying files and folders. The following rules are needed:
Full path | Context |
---|---|
/var/www/wallabag(/.*)? | httpd_sys_content_t |
/var/www/wallabag/data(/.*)? | httpd_sys_rw_content_t |
/var/www/wallabag/var/logs(/.*)? | httpd_log_t |
/var/www/wallabag/var/cache(/.*)? | httpd_cache_t |
After creating these contexts, enter the following in order to apply your rules:
restorecon -R -v /var/www/wallabag
You can check contexts in a directory by typing ls -lZ
and you can see
all of your current rules with semanage fcontext -l -C
.
If you’re installing the preconfigured latest-v2-package, then an additional rule is needed during the initial setup:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wallabag/var"
After you successfully access your wallabag and complete the initial setup, this context can be removed:
semanage fcontext -d -t httpd_sys_rw_content_t "/var/www/wallabag/var"
retorecon -R -v /var/www/wallabag/var