drush cc returns a series of these errors for both css and js directories

WD php:                                                              [error]
unlink(sites/site.com/files/js/js_bcf2fa81dc9d07377651f6be73f31204.js):
Permission denied in /path/to/drupal/includes/file.inc on line
444.

site/site.com/files is 777
site/site.com/files/css is 755
site/site.com/files/js is 755

Both directories are owned by www-data

Flushing all caches from Administration Menu works fine
So far the only way to make it work from drush is to chmod the css|js to 777.

Any idea where my permissions are wrong? Thanks!

Comments

greg.1.anderson’s picture

greg.1.anderson CreditAttribution: greg.1.anderson commented
Status: Active » Fixed

Drush doesn't run as the user www-data; it runs as the user you're logged in as. su www-data if you'd like to run drush as the same perms as the web user. Note that the www-data account is usually locked so you can't log in as it, but you can adjust these settings.

I for one prefer to set up my sites so that www-data does not own the files in the drupal root and can not write to any file that it does not need to (e.g. the files directory), and cannot even read files that it does not need to (e.g. the *.txt files at the drupal root). Then a log in as a user (say, "publisher") who does own all of these files and can read and write them, and use drush from there.

Slovak’s picture

Slovak CreditAttribution: Slovak commented

Agreed. All my drupal directory and subdirectories are owned by another account, not www-data.

If I chown sites/site.com/files -R so that files and all subdirectories are owned by the other account, I can easily perform drush cc. Trying to access the site, however, results in errors as Drupal now can't write the aggregated css|js files into the appropriate directories.

I guess a compromise is to
chown to the other account
chgrp www-data css|js
chmod g+w css|js -R

Now the permissions are 775, owner is my other account, but can still be accessed by www-data as its group.

Just can't bring myself to 777 the full files/ directory.

greg.1.anderson’s picture

greg.1.anderson CreditAttribution: greg.1.anderson commented

You are correct; perms should be 775 (or 770), owner should be non-webserver user, group should be www-data or other webserver-accessible group.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

pimok3000’s picture

pimok3000 CreditAttribution: pimok3000 commented

Thanks slovak, that worked perfectly.

Although i had to change user.www-data back to user.rootgroup on the /images/temp folder to not get unlink error messages