DDEV experts out there? File permissions always set to "600" instead of "644"

[Stefanowitsch]

Lately I switched from MAMP PRO to DDEV. However since then I noticed some strange behaviour:

Everytime I uploaded a finished project to a webserver, some assets like images, CSS files or JS files all threw the "403" Error when visiting the website.

After a bit of testing I realised that newly created files (like images that are uploaded through an image field) all get CMOD 600 instead of 644. So on my local machine this is no problem, but on a webserver it is!

By the way, this is set in my ProcessWire config:

$config->chmodDir = '0755'; // permission for directories created by ProcessWire
$config->chmodFile = '0644'; // permission for files created by ProcessWire 

I tested the same project with MAMP PRO and there all uploaded and newly created files get the correct permissions - 644. The downside is that MAMP PRO is awfully slow compared to DDEV.... and I really don't want to switch back.

I have absolutely no clue why this is the case? Why do all new files created by ProcessWire get CHMOD 600 instead of 644 - but only in DDEV and not in MAMP?

I did some research and checkt the umask setting inside the DDEV container, which look exactly like it should:

umask 0022

There seem to be some workarounds like running a script to re-alter the file permissions, but that does not solve my problem in the long run:

#!/bin/bash
find /path/to/your/uploads -type f -exec chmod 644 {} \;

 

[wbmnfktr]

Where do you put those projects in your file/folder structure?

Inside your home directory, like: /home/stefan/www/project.tld ?

Could you try placing projects somewhere else, just to doublecheck it's not a problem with the projects' parent folder.

Is there something other you changed?

[Stefanowitsch]

16 hours ago, wbmnfktr said:

Where do you put those projects in your file/folder structure?

Inside your home directory, like: /home/stefan/www/project.tld ?

Could you try placing projects somewhere else, just to doublecheck it's not a problem with the projects' parent folder.

Is there something other you changed?

Hi!

Per default all my web projects are located in my "Websites" folder inside my user folder (I am working on a mac).

For testing I moved my current ddev project into a different folder, unlisted the project from ddev, started it new and I still have the problem that the file permissions are set to 600.

[BitPoet]

Can you try disabling mutagen? Existing ddev issues point towards mutagen as the culprit.

[Stefanowitsch]

On 7/6/2024 at 11:47 AM, BitPoet said:

Can you try disabling mutagen? Existing ddev issues point towards mutagen as the culprit.

THANK YOU!

Disabling mutagen did the trick!

ddev mutagen reset && ddev config global --performance-mode=none && ddev config --performance-mode=none

Now newly uploaded images have the correct permissions: 644.

UPDATE: This is the typical mutagen behaviour:

https://github.com/mutagen-io/mutagen/issues/23#issuecomment-345277107

Quote

The original design was motivated by two factors:

Security: You may be comfortable with a file having 0644 permissions on your laptop, but you may not want those same permissions pushed to a remote server shared by other users.

Portability: Although Go makes an effort to pave over permission bit portability (especially on Windows), it's not perfect, so propagating raw bits doesn't make a lot of sense.

The idea was to follow Git's model: files and folders are always checked out with 0644 or 0755 depending on whether or not they are executable. I chose to restrict to only the user bits of those permissions to avoid security issues.

I still think this model makes sense for new files being sent to a remote machine - you never know what the user/group/other situation is on the other side. So Mutagen will still create new files and directories with 0600 or 0700 depending on executability needs.

But there is a also a way to have mutagen enabled and still get the correct file permissions:

Add this line to your DDEV config.yaml:

upload_dirs:
  - site/assets/files