OTRS 4 Attachments Folders/Files Owned By otrs:otrs, not otrs:apache

[mrhaag]

I have just upgraded to OTRS 4 on CentOS. I am using ArticelStorageFS for Ticket::StorageModule. When OTRS saves the files in /home/otrs/attachments/, the newly created files and folders are owned by the otrs user and group. The owner should be otrs:apache. If the group owner is not "apache", the attachments are not visible to agents and customers in the web interface.

I am running chown -R otrs:apache /home/otrs every minute as a workaround, but this is not good.

How can I make OTRS 4 create the attachments with the "apache" group (rather than the "otrs") group as owner?

[crythias]

They get created as the service that creates it. Among other things, you might want to consider having the Apache user as a member of the OTRS group.

[mrhaag]

Crythias,

Thank you for the suggestion. On my previous OTRS system (3.2.13 running on ubuntu), when the attachments were created they were owned "otrs:www-data". I thought the new system is not behaving as it should be, because on that other system, I did not need the www-data user to be a member of the otrs group. Is it now normal behavior for any attachments OTRS creates to be owned otrs:otrs? Adding the user "apache" to the group "otrs" would be an easy workaround and is certainly better than doing a chown every 1 minute via cron, but I generally try not to add users to other users' groups if possible just to avoid any unforeseen security problems in the future.

I can't find anything in the OTRS documentation telling admins they need to add apache into the otrs group, so I do not know if that step is a best practice or a workaround. On the otrs 4.0.7 installations you maintain, do you find your own attachments are also owned by "otrs:otrs" at the time they are created? If I am seeing something unusual perhaps I have something configured incorrectly.

[crythias]

In Linux, files are owned by the user of the service that creates them.

[mrhaag]

I double-checked my old otrs system this morning. I used a nightly cron job to change ownership to otrs:www-data on that one, so it seems OTRS has never behaved as I thought it did with regards to file/folder ownership in the /home/otrs/attachments directory. I also added the user "apache" to the group "otrs" on my new CentOS system. The group "otrs" didn't even exist on my new system, so I created it first, then added the user "apache" to it.

Thanks again.

[mrhaag]

Crythias,

After adding the user "apache" to the group "otrs" I emailed a new attachment into a ticket. The attachment was not visible on the web interface, so I did a few tests:

I attached a file to the ticket using the "reply" option in the web interface. That attachment showed up immediately.

I checked permissions of the newly created folders on the server and found the following (within /home/otrs/attachments/2015/05/11/ ):

drwxrwx--- 2 otrs otrs 4.0K May 11 12:37 129707
drwxrwx--- 2 apache apache 4.0K May 11 12:38 129708

The directory "129797" owned by "otrs:otrs" is the one I emailed. The directory "129708" owned by "apache:apache" is the one I uploaded using the web interface.

I ran a chown -R otrs:apache on the directories created, and immediately my emailed attachments became visible in the web interface.

I see now that the user/group ownership of files emailed into the system is different from the user/group ownership of files added as new notes via the web interface, but the attachments emailed into the system are still not visible in the web interface without performing chown as a workaround.