Permission problems with Gearman worker

Question

Here is the scenario:

I have a web application (php, mysql) which writes pdf files to a given directory: /var/www/myapp/tmp. I then use Gearman (worker php script run from terminal) to generate preview images from these pdf files. The worker script has access to the tmp directory at /etc/mount/tmp which is either symlinked to the /var/www/myapp/tmp directory (if the worker script runs on the same server as myapp) or mounted there using NFS (if the worker script runs on a different server).

The app creates subfolders in tmp with chmod 0777, in these subfolders the pdf files are placed. The worker grabs the file from the shared tmp directory (no problem there), generates a preview image, and should then write the preview image to the shared tmp directory.

The problem

I have this problem when I run everything locally (client, jobserver, worker), so with the symlinked tmp folder:

The subdirectory is not writable so I can't write the result and the worker fails.

Now the pdf files were written by the web app/gearman client and are owned by user _www. The worker script doesn't run through apache and is run under a different owner (me, logged in at the terminal), which gives me these permission problems I suppose.

I don't really understand why the folder isn't writable since I created it using 0777 permissions. Can the symlink have something to do with this?

In any case I don't know how to adequately fix this problem so both client and worker can work within the same folder without having permission problems. Can anyone help?

---

UPDATE

The first problem seemed to be the umask, if I set that to 0 the folders are writable, but this still forces me to set the permissions to 0777. How can I approach this more securely?

Answer 1

I ran into the similar situation where I needed apache and other services to write to the same folder. So I opted to add all necessary users to a 'filer' group, then gave rwx perms to the filer group on the folders that needed them.

mpurcell@service1 ~ $ -> id apache
uid=48(apache) gid=48(apache) groups=48(apache),507(filer),509(logger)

mpurcell@service1 ~ $ -> id mpurcell
uid=500(mpurcell) gid=502(mpurcell) groups=502(mpurcell),10(wheel),501(webdev),507(filer),509(logger)

mpurcell@service1 ~ $ -> ls /home/db/permfile/
total 12
drwxrwsr-x. 3 filer filer 4096 Feb 13  2012 .
drwxrwxr-x. 4 filer filer 4096 May  5  2012 .. 
drwxrwsr-x. 6 filer filer 4096 Dec 24 00:41 app

I haven't toyed around with Gearman yet, but in your specific instance, whichever user the worker runs as as well as the gearman service, will also need to be added to the filer group.