Setting up write access using ACL for Moodle on a VPS

Setting up write access using ACL for Moodle on a VPS

by Christopher King -
Number of replies: 0

Good day,

I've installed Moodle 3.7 on a "virtual personal server", VPS, running Centos 7.  My hosting service runs my VPS is in a Virtuozzo container.  The system only has two accounts on it:  root and what I'll call myaccount.  Moodle is installed in the "myaccount" region of the filesystem.  After installing I followed the Moodle documentation directions for setting the owner to "root".  From the directory containing the Moodle directory I typed

# chown -R root moodle
I also changed permissions by following the documentation.
# chmod -R 0755 moodle

# find moodle -type f -exec chmod 0644 {} \;
From the command line I could now type 
# ls -la
and see that the owner and permissions were changed as expected.
I neglected to do the last step, which gives a user permission to read and write from Moodle directories.
# chmod -R +a "www-data allow read,delete,write,append,file_inherit,directory_inherit" moodle
However, on trying to install a theme, I received an error message that the moodle/themes/ directory was not writable, so I tried to run that last command.  It doesn't work on my system: the "+a" option isn't recognized. The permissions that command gives seem like the equivalent of read and write permissions.  So, I tried using access control lists, ACL.  I entered the following.
# setfacl --test -R -m user:myaccount:rw- moodle
setfacl sets the access control for the moodle directory and all directories under it (the -R makes it recursive).  The -m modifies the ACL.  This gives read and write permission to user "myaccount".  On entering this It printed a long list of files, so I assumed it worked.  I removed the --test part and ran it again.  To verify that it worked, I typed 
getfacl moodle
, which printed out the following, indicating it had worked.
# file: moodle
# owner: root
# group: root
user::rwx
user:myaccount:rw-
group::r-x
mask::rwx
other::r-x
I tried to go to Moodle, but get an error message:

Forbidden

You don't have permission to access / on this server.
Server unable to read htaccess file, denying access to be safe


I reran that setfacl command giving the account execution permission
# setfacl -R -m user:myaccount:rwx moodle
Now Moodle runs again and a new plugin was successfully installed.

Does this seem like an appropriate way of enabling write access to the Moodle plugin directory?  I'm concerned that it may allow anyone to write to the Moodle directory.  If this does seem appropriate, I could add it to the description of how to install Moodle.  A peculiarity of my setup is that the user is set to an account name, rather than something like "apache".  There are only two users on the system, so apache could not be used as a user, I think.
Thanks,
Chris


Average of ratings: -