Symfony 4 file permissions of var directory change every time

Question

I am setting up a new server and installed Ubuntu 18.04 in combination with Apache2. My project is stored in /var/www/project. In apache2.conf I added

<Directory /var/www/project/>
    AllowOverride All
    Order Allow,Deny
    Allow from All
</Directory>

In my virtualhosts file I point to /var/www/project/public When I go to the Ip address of my server I see my project and everything works, except one thing:

whenever I clear the cache with php bin/console cache:clear the permissions of my directory var are messed up which results in errors in the production environment.

I can fix this with:

chmod -R 777 var/

But the problem returns wheneven I clear the cache again. I tried with different users including root, but always the same problem. I do not understand what is causing this. In the documentation on file permissions it says:

In Symfony 3.x, you needed to do some extra work to make sure that your cache directory was writable. But that is no longer true! In Symfony 4, everything works automatically

Well not for me, but what could cause the problem?

Answer 1

The problem

The cache directory is owned by the user executing the cache:clear command.

• Lets say your project files are owned by www-data.
• Clearing the cache with root user
• Cache is owned by root
• www-data can't write in cache directory

Solution

execute cache:clear using the user owning the files.

• Login as www-data: su www-data -s /bin/bash
• clear the cache ./bin/console cache:clear

Depending on your settings, your www-data user may be different

Answer 2

The solution that worked for me (using Symfony 3.x and Ubuntu 18.04) is the one explained in the official site, here: https://symfony.com/doc/3.4/setup/file_permissions.html#using-acl-on-a-system-that-supports-setfacl-linux-bsd

Maybe that solution work also with Symfony 4?

Extract:

3. Using ACL on a System that Supports setfacl (Linux/BSD)

Most Linux and BSD distributions don't support chmod +a, but do support another utility called setfacl. You may need to install setfacl and enable ACL support on your disk partition before using it. Then, use the following script to determine your web server user and grant the needed permissions:

HTTPDUSER=$(ps axo user,comm | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1)

sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var

sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var

Note: The first setfacl command sets permissions for future files and folders, while the second one sets permissions on the existing files and folders. Both of these commands assign permissions for the system user and the Apache user. setfacl isn't available on NFS mount points. However, storing cache and logs over NFS is strongly discouraged for performance reasons.

Personal hint:

sudo apt-get install setfacl may says "unable to find setfacl".

If so:

• check if setfacl is present: setfacl -h
• setfacl is part of the acl package, so install acl if missed