I have a codeigniter project that runs on xampp. When I run a php command mkdir I get the error "Permission denied". It turns out that the php user and the computer user doesn't have the same name. So I change in the httpd.conf file the lines
User daemon
Group daemon
to
User username
Group daemon
To match my username. Now I get this problem fix but that creates a pemission error on another part of the code. Which is strange because I run the same project on another machine with the same settings and it works. Can you point me on the right direction?
The User directive specifies which linux user the httpd process should use to run as. This means the httpd process will do everything as if that user (in this case, you) is doing it. If you don't have permissions to do something, the httpd process won't be able to do it and you will see an error.
To fix this, you need to fix the permissions on the files/folders/commands the httpd process (and php) needs. You can either:
grant full permissions to the daemon group on the file/folder you want: chgrp daemon /path/to/file; chmod g+rwx /path/to/file
grant full permissions to the specific user on that file/folder: chown username /path/to/file; chmod u+rwx /path/to/file
grant full permissions to everyone (probably not recommended): chmod o+rwx /path/to/file
If the process doesn't need to write at that location (mkdir, create or change files, ...) then don't grant write permissions, if it doesn't need to execute (run a command, read a folder's contents) then don't grant execute permissions.
Related
I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
I am using nginx with an install of Wordpress; I was trying to come up with a way to store user uploads beyond the web root and use a php script to serve them when needed.
I am positive I will need to log in as root on the server to accomplish the right settings; but I do not know the right way to set permissions for nginx to allow a php script to write to the folder and access it's contents.
My path to the web root looks like this:
/var/www/vhosts/mydomain.com/httpdocs
So I wanted to create a folder here ( I am guessing ):
/var/www/vhosts/mydomain.com/new_folder
I have not logged in to the server as the root user before, but I have found a few lines of commands that may be relevant. I do not know which applies to my situation.
mkdir /var/www/vhosts/mydomain.com/new_folder
chmod 755 /var/www/vhosts/mydomain.com/new_folder
Will this work for a server running nginx? or do I need something like this?
mkdir -p /var/www/vhosts/mydomain.com/new_folder
sudo chmod -R 0755 /var/www/vhosts/mydomain.com/new_folder
I think that the sudo command deals with permission on folders that were supposed to only be accessed by the root user.
I am having a hard time researching this as I do not understand which context to use these commands. I still do not know how to set the permission of a folder so a php script can read and write to that directory.
I could really use a nudge in the right direction, as I am terrified in trying to just start blindly entering commands on the server logged in as root.
I'm not a nginx expert, I'm used to apache, but my guess is all you need to do is make sure the user that nginx is running under has write permission to a folder. In order for this command to word:
mkdir /var/www/vhosts/mydomain.com/new_folder
You need to make sure you are logged in as a user that has write access to /var/www/vhosts/mydomain.com/. If your normal user doesn't have the permission that is where sudo comes in. sudo basically means run this command as root. It should also ask you for your root password when this is done. You can add sudo in front of any of the commands listed above or below if you don't have sufficient permission to do something.
This command is creating a new directory/folder mkdir = make directory. This command:
chmod 755 /var/www/vhosts/mydomain.com/new_folder
Is changing the permissions on that folder you just created. You can do some research and see what 755 stands for. More importantly though you will probably need to use the chown command to give ownership of the directory to the nginx user. As I said I'm not a nginx user so I don't know what the standard username is, but for apache it would look something like this:
chown www-data:www-data /var/www/vhosts/mydomain.com/new_folder
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
I have a BitBucket account, and it will trigger a script on my sever that will pull and update the live server when a push is made. The trigger works, and after having a lot of troubles getting the _www user to trust the hgrc or whatever (I did get that working), it's actually doing the command.
The problem is I get an error about not being able to lock the folder, which means that my _www user doesn't have permission to the .hg folder.
What's a good way to approach this? I don't want to make the .hg folder 0777. I could put _www in the same group as my user (which I believe it is) and give the group rw (what is that, 0775?). Would that be acceptable, or are there other security implications I might be missing, or a better way to handle this.
I was I could run the command with my user. And maybe I can. BitBucket is using a POST service to post to my server and I do the command via PHP's shell_exec() (it only runs the command if the request came from BitBucket's IP).
[Update] I went ahead and tried setting the permissions to 0775, and it still didn't work (_www isn't in the same group as my user). Same error, which is:
abort: could not lock repository /path/to/local/repo: Permission denied
You've got the right idea with the groups stuff. You need to:
make sure the www user is in the same group as the group that owns everything in the .hg directory
make sure everything in the .hg directory is write-able by group (chmod -R g+w .hg)
If any other users besides www will be pushing/pulling/updating in that repo then you'll also want to use the sticky-group-bit to make sure that newly created files and directory have the same group ownership as the .hg directory itself.:
find .hg -type d | xargs chmod g+s
Your first paragraph is not entirely clear, but have you tried changing the .hgrc file on the live server, adding:
[trusted]
users = _www
groups = _www
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.