I have looked at several other answers and none of them are working. for example: How to set umask for php5-fpm on Debian?
here's the setup.
I have a cakePHP 2 app running with apache as a reverse proxy for php-fpm on RHEL 7.
I've created a site specific user, which we'll call siteuser.
The virtual host for this site will do a 'SuexecUserGroup for the siteuser user/group.
I've added the php-fpm user to the siteuser group.
There are specific directories in cakePHP 2 which must be writable. I've made these directories group writable and set the S bit so new files are created with the group intact.
In addition, I set the systemd UMask for php-fpm as follows:
/etc/systemd/system/php-fpm.service.d/override.conf
[Service]
UMask=113
After saving this file I do a systemctl daemon-reload && systemctl restart php-fpm.
however, the files are getting written as 777 rather than the 664 I would expect.
What am I missing?
Please add a 0 to your umask for the special permissions bit (i.e. sticky, setuid, setgid, etc.)
[Service]
UMask=0113
Update:
It seems like your changes are not being recognized at all...
I just noticed you are setting this in your override.conf file. In this case you need to make sure that override.conf is being included from the main config (IIRC: php5-fpm.service.conf in the same folder).
Also, have a look at this serverfault question that may contain further information for you.
Related
I've recently been learning to build images and containers with Docker. I was getting fairly confident with it when using a Mac, but recently switched to Ubuntu, I'm fairly new to this side of development.
I'm using a standard new Laravel project as my "code", and am currently just using a php container and nginx container.
I'm using a docker-compose.yml file to create my containers:
version: "3.1"
services:
nginx:
image: nginx:latest
volumes:
- ./code:/var/www
- ./nginx_conf.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
php:
image: php:7.3-fpm
ports:
- 9000
volumes:
- ./code:/var/www
There may or may not be a mistake in the code above just because I've just typed it out rather than copy and pasting - but it works on my machine.
The problem is:
php-fpm is configured with --with-fpm-user=www-data and --with-fpm-group=www-data, and that's set in the php:7.3-fpm Dockerfile (see here).
The files on my host machine, are saved with my user name and group as owner / group.
When I go into the container, the files are owned by 1000 and group 1000 (I assume a mapping to my user account and group on the host machine?)
However, when I access the application through the browser, I get a permission denied error on start up (when Laravel tries to create an error log file in storage). I think this is because php-fpm is running as www-data, but the storage directory has permissions drwxr-xr-x for owner / group phil:phil - my host owner and group.
I've tried the following, after hours of googling and trials:
Recursively change the owner and group of the code directory on the host machine to www-data:www-data. This allows the Laravel application to work, but I now cant create or edit etc files on the host using PHPStorm, because the directory is read-only (I guess because phpstorm is running as my user, and directory is owned by a different user / group).
I've added my host user account to the www-data group, and granted write permissions to the group using sudo chmod -R g+w ./code, which now allows the application to run the application, and for phpstorm to write, execute etc files, but when i create or edit a file, the files ownership and group change back to my host phil:phil, and I guess this would break the application again.
I've tried to create a php image, and set the env (as described in the link above) to configure with --with-fpm-user=phil --with-fpm-group=phil, but after building, it doesn't change anything - it's still running with www-data (after reading a github issue I think this is because envs cant be changed until later, at which point php is already configured?) (see github issue here)
I'm running out of ideas to try. The only other thing I can think of, is to recursively set owner and group of the code directory on my host to www-data and try run phpstorm as www-data instead, but that feels weird (Update: I tried to open phpstorm as www-data user, using sudo -u www-data phpstorm.sh, but i get a java exception - something to do with graphics -so this approach is unfeasible as well)
Now the only thing I can think of to try is to create a new php image from alpine base image and bypass php's images completely - which seems like an awful lot of inconvenience just because the maintainers want to use ENV instead of ARG?
I'm not sure of best practice for this scenario. Should I be trying to change how php-fpm is run (user/group)? should I be updating the directory owner/group on my host? should I be running phpstorm as a different user?
Literally any advice will be greatly appreciated.
#bnoeafk I'll just post this as a new answer although it has basically been said already. I don't think this is hacky, it works basically like ntfsusermap, certainly more elegant than changing all file permissions.
For the Dockerfile:
FROM php:7.4-apache
# do stuff...
ARG UNAME=www-data
ARG UGROUP=www-data
ARG UID=1000
ARG GID=1001
RUN usermod --uid $UID $UNAME
RUN groupmod --gid $GID $UGROUP
Every user using this image can pass himself into it while building: docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g)
ran into the same problem a few weeks ago.
what actually happens is that your host and your container are sharing the same files via the volume, therefore, they also share the permissions.
in production, everything is fine - your server (the www-data user) should be the owner of the files, so no problem here. things get complicated in development - when you are trying to access those files from the host.
i know a few workarounds, the most hacky one seems to be to set www-data uid in the container to 1000, so it will match your uid in the host.
another simple one is to open 777 full permissions on the shared directory, since its only needed in the development build - (should never be done in production though, but as i mentioned before, in production you dont have any problem, so you must seperate the 2 processes and do it only in development mode)
to me, the most elegant solution seems to be to allow all group members to access the files (set 770 permissions), and add www-data to your group:
usermod www-data -a -G phill #// add it to your group
chown -r phill ./code #// make yourself the owner. might need sudo.
chmod 770 ./code #//grunt permissions to all group members
You have many options depending on your system to do this, but keep in mind you may have to restart your running process (php-fpm for example)
Some examples on how to achieve this: (you can run the commands outside the container with: docker container exec ...)
Example 1:
usermod -g 1007 www-data
It will update the uid of the user www-data to 1007
Example 2:
deluser www-data
adduser -u 1007 -D -S -G www-data www-data
It will delete the user www-data and recreate it with the uid 1007
Get pid and restart process
To restart a a running process, for example php-fpm, you can do it that way:
First get the pid, with one of the following command:
pidof php-fpm
ps -ef | grep -v grep | grep php-fpm | awk '{print $2}'
find /proc -mindepth 2 -maxdepth 2 -name exe -lname '*/php-fpm' -printf %h\\n 2>/dev/null | sed s+^/proc/++
Then restart the process with the pid(s) you got just before (if your process support USR2 signal):
kill -USR2 pid <-- replace pid by the number you got before
I found that the easiest way is to update the host or to build your container knowing the right pid (not always doable if you work with different environments)
Let's assume that you want to set the user of your PHP container and the owner of your project files to www-data. This can be done inside Dockerfile:
FROM php
.
.
.
RUN chown -R www-data:www-data /var/www
USER www-data # next instruction might face permission error if this line is not at the end of the dockerfile
The important fact here is that the original permissions in the Docker host are corresponded to the permission inside the container. Thus, if you now add your current user to www-data group (which probably needs a logout/reboot to take effect), you will have sufficient permission to edit the files outside the container (for instance in your IDE):
sudo usermod -aG www-data your_user
This way, the PHP code is permitted to run executables or write new files while you can edit the files on the host environment.
I installed PHP 7 on Red Hat Linux server, but apparently due to running a few commands on the server to configure PHP I have the lost the php-fpm.sock file.
Could anyone please assist me with contents of the file?
Yes that file should be auto generated, do not create the file manually! Ensure that the service is running service php-fpm start If it still fails, check the permissions. Check here for help: /etc/php-fpm.d/www.conf This is your main php-fpm config file. Make sure user, group, listen.owner, listen.group are set to your either nginx or apache user, depending on what web server you use. Also note that listen point to the actual socket file.
although the path /mnt/my-proj/app/../var/sessions/dev is accessible for both the normal user and www-data I get the following message:
Warning: session_write_close(): Failed to write session data (user). Please verify that the current setting of session.save_path is correct (/mnt/op-accounting2/app/../var/sessions/dev)
I get the message above only in dev, but not in prod.
/mnt/my-proj/app/../var/sessions/dev and /mnt/my-proj/app/../var/sessions/prod have the same pemissions: 777.
The path above is mounted as following:
# mount -t vboxsf -o uid=1000,gid=33,umask=000 my-proj /mnt/my-proj;
What am I doing wrong?
I've read the following posts, but could find no solution for me:
PHP session handling errors
https://github.com/NewEraCracker/suhosin-patches/issues/3
PHP7 + Symfony 2.8, Failed to write session data
I'm using Vagrant 1.8.1 on Windows 8.1 Enterprice (64Bit) and ubuntu-xenial 16.04 in Vagrant. The provider is VirtualBox 5.0.20. The settings are mostly default ones. The path above is shared using VirtualBox GUI with full access.
Kind regards,
Juri
SOLVED! :-)
Setting
save_path: "/var/lib/php/sessions"
in /mnt/my-proj/app/config/config.yml solved the problem. Any adjusting of ini-Files in /etc/php/7.0/ wasn't neccessary (those files have still default values only).
But I wander why didn't I get that error message in prod?
You can just edit the configured file.
vi /etc/php/7.2/fpm/pool.d/www.conf
Then change the owner role for PHP from www-data to vagrant
user = vagrant
group = vagrant
In addition to the previous answer from Juri Sinitson, it also solved me tweaking the VM instead of tweaking the project base.
Adding to my Vagrant bash root provisioner this line:
sed -i "s/www-data/vagrant/g" /etc/apache2/envvars
service apache2 restart
Makes the apache run as vagrant. This confers apache more power on the shared directory as it appears to the filesystem that it is the user vagrant and not the user www-data who happens to be touching there.
Maybe this is 'apparmor' related or so.
We have websites running on a linux server with apache httpd and php. On that server a certain directory from a windows server is mounted as let's say /mnt/some_directory/. I can browse this directory with both WinSCP or SSH, using my own user account.
I can also perform the following in SSH:
php -r "print_r(file_get_contents('/mnt/some_directory/file_name.txt'));"
and see contents of that file.
We need to read a file and parse from that directory in order to import it in the database that is used by the website. But when an fopen or a file_get_contents on the website we get a permission denied error.
I have limited access to the web server (and limited knowledge of *nix and apache configuration), but the administrator that is supposed to resolve this apparently is also lacking this knowledge and I need to have this task resolved,that's why I am asking here.
What the admin did was to set the group and ownership of the mounted directory to"apache", which is the user the httpd process is running as. But that didn't help.
As far as I know access to files outside of the webroot is disallowed by default. Would it be sufficient to set a DIRECTORY directive in httpd.conf for /mnt/some_directory/? Or is there anything else that has to be done?
our team had the same issue, my team-mate was able to resolve this by adding context to mount options.
we are using the following format for mounting windows shared folder to linux that apache will be able to access:
mount -v -t cifs <//$hostname/$(windows shared dir)> <mount directory> -o username="<username>",password=<password>,domain=<domain name>,iocharset=utf8,file_mode=0777,dir_mode=0777,context="system_u:object_r:httpd_sys_content_t:s0"
For example:
mount -v -t cifs //192.168.1.19/sample_dir /mnt/mount_dir -o username="admin",password=adminpwd,domain=MIINTER,iocharset=utf8,file_mode=0777,dir_mode=0777,context="system_u:object_r:httpd_sys_content_t:s0"
Link the mounted directory to your www root dir and name the link "share"
ln -s /mnt/some_directory /path/to/your/www/root/directory/share
than try reading the file
php -r "print_r(file_get_contents('/path/to/your/www/root/directory/share/file_name.txt'));"
...or you can allow (if you have enough privileges to edit the webserver's configuration)
<Directory /mnt/somedirectory >
Allow from All
</Directory>
i have seen the same problem with a cifs mount
linux/unix apache that user can have access to the mounted volume, but not apache.
see also this: EnableSendfile off
but when turned off, apache may work slowly,
in .htaccess, only for the cifs mount path, it should work ... .
http://httpd.apache.org/docs/current/en/mod/core.html
best regards
L.Tomas
I have setup apache according to this article
https://help.ubuntu.com/community/ApacheMySQLPHP
and I have created a new site config in /etc/apache2/sites-available/mysite
and changed the document root and directory to :
DocumentRoot /home/gapton/public_html
<Dictory />
..
..
</Directory>
<Directory /home/gapton/public_html/>
...
...
...
...
</Directory>
and I sudo a2dissite default && sudo a2ensite mysite to disable and enable them, restarted apache2 and things are working.
I then setup vsftpd and config the vsftpd.conf file to :
local_enable=YES
write_enable=YES
connect via Notepad++ with the user 'gapton' and I created a file called test.php under home/gapton/public_html. It would not be readable by Apache it seems. I did sudo chmod -R 755 ~/public_html and it would load alright.
However any subsequent files created via vsftpd will not be readable.
Since I have logged in to the only account gapton when connecting via FTP, then any newly created file should be owned by gapton right? What happens when apache tries to access a file/folder location, what credentials does it access it by?
How do I config it so that all files created by gapton can be read by apache? (Also, is it at all advisable?)
Thanks.
I found the problem.
In older version of vsftpd, the umask they apply when writing file was by default 022.
In the current version, such default value has been changed to 077. This mask read 4 write 2 and execute 1 for everyone except the owner.
Changing the umask value in the vsftpd.conf file back to 022 has solved my problem. Hope this help future users of vsftpd facing the same issue.