Provision ACL

This section documents the Provision ACL extension to Aegir which allows more granular access control over your sites files and directories. While this extension does not ship with Aegir by default, it can be extremely useful in securing access to resources on the CLI.

Install instructions

Most (if not all) of these commands will have to be run as root (or using sudo, etc.)

Install provisionacl

First, download and install provisionacl:

drush dl provisionacl
drush cc drush

Install ACL support package

ACL support usually requires the installation of a system package:

apt-get install acl

Enable ACLs on your filesystem

To enable ACLs on you filesystem, it will have to be re-mounted with ACL support:

mount -o remount,acl /

Here we assume everything is under the root (/) filesystem here, otherwise run this command for every filesystem Aegir will work on (e.g. /srv, /var or /home).

You also need to edit your /etc/fstab for this configuration to survive reboots.

Create a UNIX group

In this case we choose a group called "devs" but you can choose another name.

groupadd devs

Add users to the group

Add one or more UNIX users that you want to give access to that group. For an existing user, this would look like:

usermod -a -G devs <username>

For a new user, this would look like:

useradd -G devs <username>

Create a client

Create a client (should be called "devs" for this example) in the frontend at /node/add/client. The client name (in the front-end) and the user group (on the system) should match. Each new client that you want to grant such CLI access to will require its own user group.

Create a site

Create a site for the client in the frontend at /node/add/site.

What ProvisionACL does

When the site is installed, members of the "devs" group will be able to write to the sites' directories (e.g. upload files and modules) and run drush commands on the site (yes, including site aliases, although see caveats below).

This works also for existing sites; make sure you create a group matching the internal name of the existing client and reverify the site.

LDAP integration

Provisionacl supports LDAP groups as well. Ensure that an LDAP client is running and that the 'aegir' user can see the LDAP-provided groups:

getent groups

You may need to restart the Name Service Cache Daemon (nscd):

/etc/init.d/nscd restart

ProvisionACL API

ACL support can be integrated into contrib or custom Aegir extensions.

To change ACLs on files, you should use something like this:

if (function_exists('provisionacl_set_acl')) {
  provisionacl_files_acls(d()->site_path . '/mysettings.php');
}

You can optionnally pass a group as an argument, but it will guess that from the client name of the site. Also note that this will raise a drush error if setfacl fails, but just set a warning if the group doesn't exist.

Caveats (ie. what it does not do)

Giving shell access to users in Aegir is still insecure, see this upstream issue.

We may refactor this into Aegir core in the future, but in the meantime this should provide a good workaround for the limitations of the existing permission system.

You may need to change your $HOME variable for aliases to work, because of this bug in Drush. Example:

env HOME=/var/aegir drush @hostmaster cc all

See also this post for context and design.