ArticleStorageFS and file permission

[setecastronomy]

Perhaps this question is more linux related, anyway I hope to find help here.
I enabled ArticleStorageFS.
From the admin manual:

Your web server user should be the 'otrs' user

I read somewhere else there is a security risk to execute apache2 with a different user than www-data (I'm under Ubuntu).
Do you think it is a real concern ?

I thought it was sufficient to have www-data and otrs users share the same group, www-data.
I created a directory for the attachments owned by otrs:www-data with 770 permission.
I made some tests and I couldn't see the e-mail attachments from otrs.
I checked the file system, the files were there, but the owner was otrs:otrs instead of otrs:www-data.
I launched a

Code: Select all

sudo chown -r otrs:www-data myAttachmentDirectory

and after that I could see the attachment inside otrs.
I'm not a Linux expert so I cannot figure out why the created files are owned by otrs:otrs. Can you suggest something to solve the problem ?
As already stated I don't want to change the apache2 user also because I don't know how to do it !

Thanks
Filippo

[setecastronomy]

I add an additional note which is obvious for Otrs expert users but may be useful for novice.

In the mail account management page I launched a Run now command. An e-mail with attachment was downloaded from the pop3 server.
In the file system it is owned by www-data:www-data and its attachment is visible from OTRS.

I think the problem reported in the first post is related to e-mails which enter otrs through a cron job which runs under otrs account.
Still investigating on it. In the meantime I restarted the server hoping the problem is due to having changed otrs group into www-data too late and some processes were not aware because started before.

[Giulio Soleni]

Hi,
the best way to adjust file permissions and ownerships in OTRS is to use otrs.SetPermissions.pl
As suggested by the Ubuntu community and OTRS here: https://help.ubuntu.com/community/OTRS when you define your otrs user, you should then let it belong to apache group as well.

Code: Select all

useradd -r -d /opt/otrs/ -c 'OTRS user' otrs
usermod -g www-data otrs 

Once you have checked that conditions (who's otrs user and who's apache2 user and who are the main groups of otrs and apache2 users), you may run the otrs.SetPermissions.pl scripts (you must be root) that with the default (for Ubuntu) specifics looks like:

Code: Select all

/opt/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --otrs-group=otrs --web-user=www-data --web-group=www-data /opt/otrs