I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
Related
I have a codeigniter project that runs on xampp. When I run a php command mkdir I get the error "Permission denied". It turns out that the php user and the computer user doesn't have the same name. So I change in the httpd.conf file the lines
User daemon
Group daemon
to
User username
Group daemon
To match my username. Now I get this problem fix but that creates a pemission error on another part of the code. Which is strange because I run the same project on another machine with the same settings and it works. Can you point me on the right direction?
The User directive specifies which linux user the httpd process should use to run as. This means the httpd process will do everything as if that user (in this case, you) is doing it. If you don't have permissions to do something, the httpd process won't be able to do it and you will see an error.
To fix this, you need to fix the permissions on the files/folders/commands the httpd process (and php) needs. You can either:
grant full permissions to the daemon group on the file/folder you want: chgrp daemon /path/to/file; chmod g+rwx /path/to/file
grant full permissions to the specific user on that file/folder: chown username /path/to/file; chmod u+rwx /path/to/file
grant full permissions to everyone (probably not recommended): chmod o+rwx /path/to/file
If the process doesn't need to write at that location (mkdir, create or change files, ...) then don't grant write permissions, if it doesn't need to execute (run a command, read a folder's contents) then don't grant execute permissions.
Dedicated Linux server running debain LAMP.
I run a PHP script (using a browser) which creates a directory (and various sub directories) in a folder on the same server for subsequent shared use using Dropbox.
The directories are created in /home/dropbox/New_Project_Name/new_folders and should be owned by the user 'dropbox'.
However running the php script causes the newly created directories generated by the script to be owned by 'www-data'
What is the best why of either running the php script from the browser so that it generates the new directories with ownership of user and group 'dropbox' or subsequently running a script to check for www-data ownership and recursively changing files and directories to 'dropbox'
Many thanks for any help.
Not tested, but after creating the folder, you can run another line of code to change the owner/group
// define user and group
$owner = "dropbox";
$group = "dropbox";
$folder = "/home/dropbox/New_Project_Name/new_folders";
// change the owner and group
chown($folder, $owner);
chgrp($folder, $group);
Keep in mind, that it might throw an error, because there are subfolders and the operation fails. A while loop should solve the problem.
There might be an issues with the permissions, up to the server-config
There is another way to run it recursively with the "exec" command.
you can go like this:
exec("chown -R ".$owner.":".$group." ".$folder);
This will change user and group for the folder and all sub-folders. But beware,
using system is "dangerous". You can run any shell-commands. Don't play around with it too much.
OK - finally got this working (thanks everybody) but adding the following to my /etc/sudoers
www-data ALL=(ALL) NOPASSWD: /bin/chown, /home/sites/public_html/change_owner.php
The contents of the PHP file were as in the answer from DasSaffe
Here are 3 options:
Use suEXEC.
Connect to localhost ftp as user dropbox and create directories and files this way.
Set up sudo so www-data user can execute this as root without password prompt: sudo chown -R dropbox /path/to/dir, then just use php's exec function.
I have a PHP script which runs in first server and it curls the PHP file which is on the second server.
$service_url = 'http://example.com/version_check.php?f_path='.$path;
On the second server, that PHP file (version_check.php) reads the files in /var/www directory and processes it.
Now I want to know how to access /var/www directory with root privileges.
I need root privileges because I am doing some fwrites in that directory.
If you’re using the default configuration on Ubuntu, you’ll have a user and group named www-data that your web server runs as. If you want to be able to write to a particular file, chown it to www-data:
$ chown www-data:www-data /var/www/my-file
Alternatively, keep the current ownership, change the group, and make it group-writable:
$ chgrp www-data /var/www/my-file
$ chmod g+w /var/www/my-file
As a last resort if you don’t want to change the ownership or group, make it world-writable:
$ chmod a+w /var/www/my-file
But this is a bad idea—any service on your system, good or bad, can modify the file, rather than just your web server. You should avoid it if you can.
you don't. just make the particular files or folders writable by www-data. running your PHP script as root would be a serious security problem. even more so, because I don't expect you to follow any common security guidelines (if you did, you wouldn't want to run your script as root).
Kumaran,
The issue isn't PHP; the issue is the user accessing the files. Your PHP scripts are run by the apache user (www-data or apache, you'd need to check the username your apache's running under). The apache user, by default, can access certain files.
To be able to access files using root privileges, the apache user needs to acquire the rights to do so.
Allowing this to happen is a big security risk. You need to re-think the architecture altogether; why is PHP accessing root files in the first place?
One option is to make the files in question writeable by the apache user
The /root is only readable to root user. Hence you need to first move that Move file to /var/www and change it's permissions so www-data users can read it.
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.