A common practice for Sugar Developers to work around file permission issues is to make everything writable to the web user. In practice, this does not cause any functional issues and is an easy way to avoid problems. But this is not desirable in production or sensitive environments from a security point of view because it violates the principle of least privilege. So Developers should really familiarize themselves with setting up secure file permissions for their web servers since this will be more in line with real production environments.
Here are some tips for working with extended file system permissions on your Sugar deployments from Jelle Vink our Security Architect.
Using extended File System ACLs
To have more granular control there is an option to use extended file system access controls. Normally Linux file systems are mounted with extended attribute support by default. The common file systems all support this (ext2, ext3, ext4, reiserfs, btrfs, jfs, etc) so it is worth investigating this approach if your environment supports it.
You can use the setfacl, getfacl and getfattr commands for extended access control which means that you can actually assign more than one user and/or group to a file or directory and set specific access permissions for each one of them. More information about these extended attributes can be found on the web.
Configuring default Sugar file system permissions
Sugar does not always use same routines to create files and directories. Some use raw fopen to access the file system but most accesses go through sugar_file_utils functions. When the latter are used, the following settings apply for newly created directories and files.
These settings can be configured in config_override.php to allow control over how default file permissions are set:
$sugar_config['default_permissions']['user'] = 'user_goes_here'; //Empty by default
$sugar_config['default_permissions']['group'] = 'group_goes_here'; //Empty by default
$sugar_config['default_permissions']['dir_mode'] = 02770; //(*)
$sugar_config['default_permissions']['file_mode'] = 0660; //(*)
(*) use octal notation, so these integer values look like 1528 and 432 respectively.
You can see for directories that setgid is enabled then, by default, you will ensure new files created in that directory inherit the directory's group instead of the user's default group.
You can see that the default permissions are 0660 for files. This ensures that files are readable by the Apache (or web) group.
There is a catch for files created outside of sugar_file_* functions. Those will use the system umask which is often set to 0022. In this case, by changing the umask for web server user to 0002 will result in a file permission that matches the Sugar application default (0660).
Sugar Cron user
Another important check is to see whether the user which is used to run Sugar cron is properly set up. When running cron, there is always a chance that some changes are written to the file system. For example, part of the cache may need to be rebuilt as part of a scheduled task. If you schedule to run cron.php as root user then any files created during that process will be owned by root instead of the web server user which can cause a lot of headaches when the web server tries to access these files.
The proper setup of users and groups is an essential server administration skill. In combination with the possibility of having extended attributes, the permission configuration in $sugar_config, and ability to use setgid on directories you should be able to perform any complex setup to meet security requirements.