I know my question is similar to old ones answered many times. But stil, I don't understand why the following behavior. I'm on centos 7.9 with php 5.4.16.
Being the user, I can execute mkdir('/tmp/mydir', 0775) correctly
drwxrwxr-x 3 john john 60 20 déc. 09:30 mydir
When excuting as apache with sudo -u apache the php script either on CLI or with as an http request, I end up with
drwxr-xr-x 3 apache apache 60 20 déc. 09:22 mydir
And a sudo -u apache with chmod('./depth1',0775); works. The behaviour is similar when I do this is a directory that I own where apache has write mode or even in a directory belonging to apache. The fact that I belong to apache group, and apache belongs to my group does'nt change either when making the test in a directory I own and where group has write rights.
Related
I've recently been learning to build images and containers with Docker. I was getting fairly confident with it when using a Mac, but recently switched to Ubuntu, I'm fairly new to this side of development.
I'm using a standard new Laravel project as my "code", and am currently just using a php container and nginx container.
I'm using a docker-compose.yml file to create my containers:
version: "3.1"
services:
nginx:
image: nginx:latest
volumes:
- ./code:/var/www
- ./nginx_conf.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
php:
image: php:7.3-fpm
ports:
- 9000
volumes:
- ./code:/var/www
There may or may not be a mistake in the code above just because I've just typed it out rather than copy and pasting - but it works on my machine.
The problem is:
php-fpm is configured with --with-fpm-user=www-data and --with-fpm-group=www-data, and that's set in the php:7.3-fpm Dockerfile (see here).
The files on my host machine, are saved with my user name and group as owner / group.
When I go into the container, the files are owned by 1000 and group 1000 (I assume a mapping to my user account and group on the host machine?)
However, when I access the application through the browser, I get a permission denied error on start up (when Laravel tries to create an error log file in storage). I think this is because php-fpm is running as www-data, but the storage directory has permissions drwxr-xr-x for owner / group phil:phil - my host owner and group.
I've tried the following, after hours of googling and trials:
Recursively change the owner and group of the code directory on the host machine to www-data:www-data. This allows the Laravel application to work, but I now cant create or edit etc files on the host using PHPStorm, because the directory is read-only (I guess because phpstorm is running as my user, and directory is owned by a different user / group).
I've added my host user account to the www-data group, and granted write permissions to the group using sudo chmod -R g+w ./code, which now allows the application to run the application, and for phpstorm to write, execute etc files, but when i create or edit a file, the files ownership and group change back to my host phil:phil, and I guess this would break the application again.
I've tried to create a php image, and set the env (as described in the link above) to configure with --with-fpm-user=phil --with-fpm-group=phil, but after building, it doesn't change anything - it's still running with www-data (after reading a github issue I think this is because envs cant be changed until later, at which point php is already configured?) (see github issue here)
I'm running out of ideas to try. The only other thing I can think of, is to recursively set owner and group of the code directory on my host to www-data and try run phpstorm as www-data instead, but that feels weird (Update: I tried to open phpstorm as www-data user, using sudo -u www-data phpstorm.sh, but i get a java exception - something to do with graphics -so this approach is unfeasible as well)
Now the only thing I can think of to try is to create a new php image from alpine base image and bypass php's images completely - which seems like an awful lot of inconvenience just because the maintainers want to use ENV instead of ARG?
I'm not sure of best practice for this scenario. Should I be trying to change how php-fpm is run (user/group)? should I be updating the directory owner/group on my host? should I be running phpstorm as a different user?
Literally any advice will be greatly appreciated.
#bnoeafk I'll just post this as a new answer although it has basically been said already. I don't think this is hacky, it works basically like ntfsusermap, certainly more elegant than changing all file permissions.
For the Dockerfile:
FROM php:7.4-apache
# do stuff...
ARG UNAME=www-data
ARG UGROUP=www-data
ARG UID=1000
ARG GID=1001
RUN usermod --uid $UID $UNAME
RUN groupmod --gid $GID $UGROUP
Every user using this image can pass himself into it while building: docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g)
ran into the same problem a few weeks ago.
what actually happens is that your host and your container are sharing the same files via the volume, therefore, they also share the permissions.
in production, everything is fine - your server (the www-data user) should be the owner of the files, so no problem here. things get complicated in development - when you are trying to access those files from the host.
i know a few workarounds, the most hacky one seems to be to set www-data uid in the container to 1000, so it will match your uid in the host.
another simple one is to open 777 full permissions on the shared directory, since its only needed in the development build - (should never be done in production though, but as i mentioned before, in production you dont have any problem, so you must seperate the 2 processes and do it only in development mode)
to me, the most elegant solution seems to be to allow all group members to access the files (set 770 permissions), and add www-data to your group:
usermod www-data -a -G phill #// add it to your group
chown -r phill ./code #// make yourself the owner. might need sudo.
chmod 770 ./code #//grunt permissions to all group members
You have many options depending on your system to do this, but keep in mind you may have to restart your running process (php-fpm for example)
Some examples on how to achieve this: (you can run the commands outside the container with: docker container exec ...)
Example 1:
usermod -g 1007 www-data
It will update the uid of the user www-data to 1007
Example 2:
deluser www-data
adduser -u 1007 -D -S -G www-data www-data
It will delete the user www-data and recreate it with the uid 1007
Get pid and restart process
To restart a a running process, for example php-fpm, you can do it that way:
First get the pid, with one of the following command:
pidof php-fpm
ps -ef | grep -v grep | grep php-fpm | awk '{print $2}'
find /proc -mindepth 2 -maxdepth 2 -name exe -lname '*/php-fpm' -printf %h\\n 2>/dev/null | sed s+^/proc/++
Then restart the process with the pid(s) you got just before (if your process support USR2 signal):
kill -USR2 pid <-- replace pid by the number you got before
I found that the easiest way is to update the host or to build your container knowing the right pid (not always doable if you work with different environments)
Let's assume that you want to set the user of your PHP container and the owner of your project files to www-data. This can be done inside Dockerfile:
FROM php
.
.
.
RUN chown -R www-data:www-data /var/www
USER www-data # next instruction might face permission error if this line is not at the end of the dockerfile
The important fact here is that the original permissions in the Docker host are corresponded to the permission inside the container. Thus, if you now add your current user to www-data group (which probably needs a logout/reboot to take effect), you will have sufficient permission to edit the files outside the container (for instance in your IDE):
sudo usermod -aG www-data your_user
This way, the PHP code is permitted to run executables or write new files while you can edit the files on the host environment.
Python script is run through shell_exec command, but produces no output.
By no output I mean no errors, and when directed to output to file, the file is created, but is blank.
What does work:
Running this script as any other user
Running this script as apache using sudo -u apache ...
Other shell_exec commands run as apache
Other Python scripts run as apache in the same originating directory
Other Python scripts run using shell_exec in the same PHP script that output to the same folder
The only difference between the scripts that work and the one that doesn't is the use of import to load modules.
UPDATE: Looks like it's a permissions issue, but I can't figure out why
/usr/local/bin/python2.7: can't open file '/var/www/scripts/script.py': [Errno 13] Permission denied
Script location: /var/www/scripts
/var
drwxrwxr-x. 20 root apache 4096 Oct 26 00:04 var
/var/www
drwxrwxr-x. 8 root apache 4096 Oct 13 13:55 www
/var/www/scripts
drwxrwxrwx. 2 apache apache 4096 Oct 27 01:26 scripts
/var/www/scripts/script.py
-rwxrwxrwx. 1 apache apache 1315 Oct 27 09:25 script.py
UPDATE: F*****g SELinux.
Temporarily disabling SELinux with setenforce Permissive resolves the issue. What is the best approach to make SELinux let Apache run this script from this directory permanently?
I don't have too much experiences with servers but I've tried to do something ;)
I have my WP webpage on amazon EC2 and
I wanted to edit some settings in php.ini through filezilla (sftp) But I had to set permissions to my user:
sudo chown -R ec2-user:ec2-user /etc
But now I can't even restart apache or set back permissions to root
If i try to do something like this:
sudo chown -R root:root /etc
or
sudo systemctl restart apache2.service
I see this information:
"sudo: /etc/sudo.conf is owned by uid 500, should be 0 sudo: /etc/sudoers is owned by uid 500, should be 0 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin"
What can I do?
You should never do sudo chown -R ec2-user:ec2-user /etc. You have modified the permission settings of your entire /etc directory.
/etc is a very important folder for your operating system that's why you're getting the error.
launch a new instance and backup your source code from your previous instance and re-upload the code. let me know if you have any issues.
I'm not understanding why you can't modify your php.ini file? You need to ssh into the server and edit the file. If you can't do that, you need to move the file to the ftp folder where it's permissible, modify the file and put the file back to it's original location and restart apache.
Furthermore, I recommend you use Ubuntu for your Wordpress server rather than using Centos or Amazon Flavour of Linux.
log into putty as ec2-user
sudo su
[root#ip-yoursite- home]
now for php 5.0 sudo vim /etc/php.ini
for php 7.0 use sudo vim /etc/php-7.0.ini
press i and now search for upload_max_filesize =100M , post_max_size=100M
(change as per your requirement)
press esc ,now save and exit use this command:wq
restart your apache server
sudo service httpd restart
The short answer is that chown -R is recursive and there are lots of utilities and other files and programs required for various operations, including sudo and su. Root is a special user with uid 0, and that user has greater permissions, and the ability to perform certain operations, that ec2-user cannot. This means that undoing what you have done is not simple or straightforward.
This is why the answers provided so far focus on a reinstallation of the operating system, which is what I would also recommend. It is likely faster.
Another part of this answer is to not try and sftp into the server to change core files. It would require having an sftp login land at the root (or /etc) directory, and that is not a common configuration.
Instead, use sftp or scp to copy changed files to a user directory, and them move them from a command prompt (ssh/bash shell). For simple textfile editing, it is easier to use a command line text editor such as nano which is more user friendly than some of the older editors.
As well, the file itself does not nor should it have its permissions changed, rather, once logged in, use sudo or su to perform the operations. Example:
ssh ec2-user#host.domain.tld
sudo su
nano /etc/php.ini
Imagine that you have a series of boxes, each with two numbers inside. These numbers are mostly 0:0 but could be any whole numbers up to 2^31-2.
The numbers are independent, so 0:0 and 0:42 are both possible. Your -R flag recursively changes all of these numbers in all of the boxes to the same pair.
This loses information. (Without a backup) there is no easy way to know what the numbers in the boxes were before you ran the command.
If you have a matching, (or very similar) server you might be able to restore most of the permissions using rsync, or use a script to record the uid:gid of each file on the working server into a log file and then use that to correct the permissions on the broken server.
ls -n
will show you the numerical values for uid and gid (3rd and 4th column on my linux servers.)
There are two options.
Create a new instance on Amazon. Check the file permissions on the new machine.
cd /etc
ls -lrt
This should give result like this
-rw-r--r-- 1 root root 2064 Nov 24 2006 netscsid.conf
-rw-r--r-- 1 root root 1343 Jan 10 2007 wodim.conf
-rw-r--r-- 1 root root 624 Aug 8 2007 mtools.conf
-rw-r--r-- 1 root root 2570 Aug 5 2010 locale.alias
-rw-r--r-- 1 root root 356 Jan 2 2012 bindresvport.blacklist
-rw-r--r-- 1 root root 349 Jun 26 2012 zsh_command_not_found
Set the same permission on old EC2 instance one by one.
Example
chown -R root:root netscsid.conf
You could create a new setup.
PS: for future, You could use this command for changes in php.ini file rather than changing owner or permission.
sudo vim /etc/php5/apache2/php.ini
No need to change ownership of the folder that contains the php.ini file.
Aim: Grant permission to user 'ec2-user' so that FileZilla can write to /etc folder which contains the php.ini file.
Doing this we can rename the original php.ini file and replace the php.ini file with a modified copy.
Steps:
Login to ec2 instance via 'Putty'
Navigate to the folder that has the php.ini file
example:
cd ../
Use:
ls -l
to list files nd folders with their permissions
Look for the line that shows the folder that contains the php.ini file
somthinng like this:
drwxr-xr-x 80 root root 4096 Jul 11 08:15 etc
Change permissions of this folder:
sudo chmod 777 etc
(NOTE:Change it back to the original permissions later)
Use:
ls -l
to see the change
Restart Apache:
sudo service httpd restart
Now FileZilla will have permission to that folder,
rename the origial php.ini file to revert back in future
replace the php.ini file with a modifided copy
Check ur site(a page which has errors) after a minute, the errors will be displayed.
I've uploaded some php scripts to my server under /php directory and sub directories.
When using my root user in terminal and running php file.php it execute it perfectly, but when trying to reach the same file through the browser - nothing happens...
I guess it something to do with permissions.
I've tried chmod 755 phpdirectory but it doesn't work..
what else should i do in order to give the browser user the ability to run php scripts ?
Update
I'm using FreeBsd system with apache and Direct Admin on it.
Can some one please guide me to where to check the settings ?
Usualy All webb access to a file is done through a specific user (eg. www-data) in order for the file to be reachable through web www-data needs permission to reach the code. How you setup that depends on what system the server is running.
Also the server document_root needs to be setup correctly. Where you do this also depends on what server you are runnning.
EDIT after update question.
In apache this is normally done through the file /etc/apache/sites-avalible/your_site
If the server only serves one page you can do this in http.conf
Check whether the User directive inside httpd.conf file is same as the user you used to ran the PHP script.
You need to make sure your PHP scripts have same user and group as you configured in Apache configuration(/etc/httpd/httpd.conf in CentOS 6.4).
# User/Group: The name (or #number) of the user/group to run httpd as.
User apache
Group apache
Check the owner and group of your PHP directory and files. In this case owner and group (root/root) are not same as Apache User and Group.
# ls -alh
total 516K
drwxr-xr-x. 5 root root 4.0K Aug 29 17:57 .
drwx------. 5 root root 4.0K Jun 24 12:06 ..
-rwxr--r--. 1 root root 356K Jul 7 2012 index.php
To change the owner and group of your PHP directory. Use the following command.
# chown -R apache:apache www
I am creating a web application. Part of the functionality is depending on that the user can start/stop a cronjob that imports emails.
It doesn't work.
Just to make sure I'm on the right track, as a starter I just want to make 'crontab -l' from php to work and print it to the web browser.
This is how I do it (handle_email_cronjob.php):
$output = shell_exec('crontab -l');
echo $output;
but all I get is nothing. (doing shell_exec('ls -l'); gives me the list of files/dir in the directory)
cat error_log:
'/var/spool/cron' is not a directory, bailing out.
Well, it is a directory no matter what the error log say. ls -Z /var/spool:
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 cron
SELinux is on and I don't want that to change.
ls -Z /var/spool/cron:
-rwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 apache
-rw-------. root root unconfined_u:object_r:cron_spool_t:s0 root
it's apache that should be used. (I did try setting cron_spool_t to apache, but still didn't work.)
ls -Z handle_email_cronjob.php:
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 handle_email_cronjob.php
I just have a gut feeling that it is related to SELinux, but I can't figure out how to fix it.
What is the problem and how can I fix it? (or is there a better approach for doing this than my?)
After learning how to troubleshoot SELinux I realized that I had to label /var/spool/cron so httpd can read/write to that directory:
chcon -R -t httpd_sys_script_rw_t /var/spool/cron
References:
Understanding audit.log
Troubleshoot SELinux