I am running my server on cPanel.
I have two users accounts:
/home/user1
/home/user2
From user2 I need to include /home/user1/public_html/config.php.
Is their anyway to apply this?
It is fully possible to access php files located in other parts of the hard drive than where the site is run. However, this depends on two things. First of, the web user needs read permissions for the file, and you need to define the root folder where that php file is located as a accessable folder for the website.
Setting file permissions for the file can be done with:
chmod +R 775 /home/user1/public_html/config.php
Defining the accessible folders for PHP depends on wether you are running Apache or Nginx.
In Nginx for example:
fastcgi_param PHP_ADMIN_VALUE "open_basedir =$document_root:/tmp:/usr/local/lib/php:/var/www/vhosts/yourdomain/httpdocs/:/home/user1/public_html";
In Apache:
Apache readme
Now you should be able to require the file like you normally would require any file:
require('/home/user1/public_html/config.php');
Why not just copy paste the /home/user1/public_html/config.php file to /home/user2/public_html/? If you don't have permissions to access or do any operation on the file, then you are simply not authorized to attempt this.
Related
I'm using Apache 2 in Linux mint and I don't know where to store my files and projects. if I store it in var/www it is not accessible for me, I have to use command as super user. Are there any way to solve my problem?
- If I want to store in my home folder, what should I type in the address bar if I want to run my file?
- Are there any other good solution than these? (such as change the accessible to folder /var, or change the Root_Url of apache ...)
The easiest way to solve this provlem is by typing the following line in terminal:
sudo chmod -R 777 /var/www
and then enter your password. And now you are done. You can store all the PHP files in /var/www
You have to do a chmod, you can have more information in your terminal with comand man chmod to set the rights to write in that folder or else point the web-server elsewhere (the setting is in the https.conf file)
There is different solutions:
create a symlink from /var/www/link to your projet and set your project
create a virtualhost with the DocumentRoot to point to your project: http://httpd.apache.org/docs/2.2/vhosts/examples.html
in both cases your project must have gives permissions to the apache user (www-data?) to read/execute you project
You need to active the user_dir mod of apache and then run the content from your home folder.
To run a file in your hole directory you should go to localhost/~youruser/script.php of course after enabling user_dir
Everything depends on the use.
If you are looking for a configuration for a development server that is accessible only from limited host (such as localhost):
You can configure Apache (/etc/apache2/apache2.conf) to run with your user/group.
User myuser
Group mygroup
Store all your project in your user_dir (/home/myuser/projects/...)
Create a virtual host for any of your projects
All files generated by your server will be accessible to you and vice versa
One way to accomplish this is to edit the default virtualhost supplied with Apache 2. In Linux Mint 14 its configuration file is located at:
/etc/apache2/sites-enabled/
This directory should hold symlinks for all active sites, for me the default is named 000-default.
Change the lines with "DocumentRoot" and "Directory" to point wherever you like. The server should have read only privileges by default. If you are working on file manipulation then it will need permission to read and write files.
Once this is set, restart the server ("sudo service apache2 restart") and type localhost in your browser to access the directory you've set above.
For more advanced configs have a look at:
http://community.linuxmint.com/tutorial/view/853
http://community.linuxmint.com/tutorial/view/527
I am having a irritating problem concerning the permissions of files created by Wordpress.
When i download plugins using wordpress or uploading images, and even when a php script creates a dir/files it puts the permissions of this folder into a different user/group.
My user does has no access to this file/folder under my own ftp account.
Is there a way to change files/folders ownership created by apache/php/wordpress to my user ?
If you are using Ubuntu (I don't know if int other distros the files are in the same location) you can edit the file envvars located in /etc/apache2 and restart Apache.
If you can use ACL this is a better solution than changing the user for Apache, more info: https://help.ubuntu.com/community/FilePermissionsACLs
If you want to change the permissions from a php script, you could use the chown() function
I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.
I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.
Im using Debian, apache2. Id like to know what could I do.
To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.
Thanks in advance
Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.
This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.
For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link
All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.
As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.
In my project, I have to upload some video files to a folder which lies outside the root folder. I am using simple php function move_uploaded_file to upload the file. I have tried with the code below.
$source = $_FILES['Filedata']['tmp_name'];
$targetFile = '/usr/local/WowzaMediaServer-3.1.1/content/video.mp4'
move_uploaded_file($source,$targetFile);
But it is not working. Can we done it through move_uploaded_file. if not, suggest a better option to do this.
I have seen some similar question but nothing helps. So any help would be appreciated..
Are you sure you're not in a chroot jail?
If so, your "absolute" path name could be pointing to the wrong place-- somewhere that doesn't exist.
If so, change the path to point to somewhere within the jail.
It may be necessary to mount --bind the directory you want this to go in into some location within the jail. (Note that a symbolic link will not work for getting out of jail.)
More than likely this is a simple permissions issue and quite easy to solve.
Find the user that apache uses. To do this open up your httpd.conf file and look for something like:
User apache
Group apache
Change the ownership of the folder that you're trying to upload to.
chown -R apache.apache /usr/local/WowzaMediaServer-3.1.1/content/
Change the permissions of the folder
chmod -R 775 /usr/local/WowzaMediaServer-3.1.1/content/
And that should be that.
I'm going to assume you're using Apache for the purposes of this answer.
First off, is the file being uploaded ok? One possible reason you might have trouble is that the tmp directory isn't writable by the webserver, or readable come to that. Assuming that's ok then move_uploaded_file should work fine.
Create a folder next to your DOCUMENT_ROOT, let's call it "filestore". Make sure it's writable by www-data or whichever user runs apache. Now, you should be able to move the files into that folder. Note they will be owned by www-data:www-data typically - or whatever user and group your server is set up to run as. The reason I put the "filestore" folder next to the DOCUMENT_ROOT folder is that you can be sure the webserver can read the file path up to DOCUMENT_ROOT. Otherwise you run the risk of a folder part way up the path not being readable, and that'll stop you dead. e.g. if you have /usr/local/media as your target folder and /usr/local isn't readable (and executable) by the webserver, you're toast.
If all this works and you absolutely must have you media elsewhere, you can have the "filestore" folder anywhere so long as the whole path to it is read/executable by the webserver. Check each directory in the path.
If these uploaded files are being downloaded by other users via the web then the "filestore" folder only needs to have permissions of 700 since it's always going to be the web server's user which reads them. If other users need access, typically because other software running as a different user needs to use them then you might need permissions to be 750 to allow group members to read (and execute) the directory. You'll also need to add that other user to the www-data group.
For downloads you will need to write a simple script which dumps the file to the browser after doing some authentication checks. That way, you avoid having the media accessible just via http without having any authentication done first - which could make your service into an attractive place for illegal files (copyright violations being the least concern here).
This is a dangerous approach as it gives root privileges to the apache user, so use with caution.
Add the apache user to the list of sudoers - which will let you execute commands as root in php via system('sudo the_command'). Then move the uploaded file to a temporary location that the apache user can write do (eg. create a 'tmp' directory in the doc root). Then use system("sudo mv \"$source\" \"$destination\""); to move the temporary file to it's final location.
You can find the apache user by executing <?php echo exec('whoami'); ?>. Then add the following entry to sudoers the-apache-user ALL=(ALL) NOPASSWD: ALL. Use visudo to add the sudoer entry.
Example:
$source = $_FILES['Filedata']['tmp_name'];
$targetFile = '/usr/local/WowzaMediaServer-3.1.1/content/video.mp4'
$tempLocation = 'tmp/temp-file.mp4';
move_uploaded_file($source, $tempLocation);
system('sudo mv "' . $tempLocation . '" "' . $targetFile . '"');
Edit: Related question - How to run PHP exec() as root?
Always you face a problem with your code, look at the server log or easier turn on errors display. That said, your problem could be related to upload_tmp_dir setting. Check what a phpinfo() tells about that or look at your php.inifile.
A better solution would be to write the file somewhere where you can write (i.e. under the webroot) and then create a symlink from the media directory to be to where you wrote it.
For example:
Web Root is /var/www/html
You want it at /usr/local/WowzaMediaServer-3.1.1/content/
Create directory /var/www/html/mediaserver/content/
Make permissions on /var/www/html/mediaserver/content/ 777 (so apache can write to it)
Copy files from /usr/local/WowzaMediaServer-3.1.1/content/ to /var/www/html/mediaserver/content/
Delete /usr/local/WowzaMediaServer-3.1.1/content/ (just the "content" directory)
Create symlink from /usr/local/WowzaMediaServer-3.1.1/content/ to /var/www/html/mediaserver/content/
Then you have permissions to read/write, and the media server should too. Only issue would be if the media server is trained not to read symlinks - but you can find that out quickly enough.
I am trying to help a friend moving a web-site from one web-hotel to another.
The old place is already closed, I have only a flat tar file of what was in it.
The web site contained HTML docs and one could download a little Java application (to be loaded on mobile phone) to send data to the web site.
The mobile Java application sent a string to URL=<HOST>/php/register.php. This php script included another php script (../inc/db_login.php), which connected to a SQL DB using $link=mysql_connect(). Another file, register.php, did the SQL insert for putting the new sent data in the DB.
My question is basicaly, where I should put this 2 PHP files on the new website and what permissions the directories and files should have?
The old web server obviously had a /php and /inc directories. None of these exists on the new webserver. Should I create them? What permission should they have? I guess the reason for having the password in a separate PHP file was security. The /php and /inc directory probably had different permissions.
The new server has directories:
/httpdos
/httpsdos
/cgi-bin
/conf (and some others probably irrelevant)
My questions
Does the file-extension (.php) mean something to the server: as PHP scripts are "included" in HTML code (between <?...?>, does the server need to look at the file suffix or is it irrelevant? (I understand that the server reacts on the <?...?>, of course)
should the public file (register.php in my case) be placed in the httpdocs/ directory or does the server (apache I think) reacts on something and fetches it in another directory?
Should the PHP script have permission R-X (read and execute), --X (execute) or R-- (read)? From a OS perspective I guess apache is just reading this files, meaning that they should be R--, but this would mean that if PHP service is "stopped" the client would get all the PHP code in his browser(?). I would prefer it being --X but as this is neither a binary nor has a #!, I guess it must be --R?
If the public PHP script can be placed in another dir (e.g /php instead of /httpdocs) what should /php (and the script) have for permission?. I guess the server has to know about this /php directory (or are there usual defaults?)
The PHP script included (../inc/db_login.php, containing SQL password) should not be under /httpdocs I guess. This means that my register.php is including a file which is not under the /httpdocs subtree. Does this work? Does the server need to know?
I understand you may need to know the server configuration. Just assume the default in your answer (and you can tell where it is changed if it is).
Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_php are not executed but rather read; 0644 will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.
Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.
Set php files to 640
For maximum security you should set minimum permissions, which
is 640.
The owner 6 would be the one uploading the files.
The group 4 would be the one serving the file. Make apache a group member.
The nobody 0 means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.
Never allow php scripts to be read by everyone.
Useful commands:
chmod 640 file.php
chown user:group file.php
usermod -a -G group apache
What these commands are doing:
Change ownership of file.php so user can read and write, group read.
Change ownership of file.php, to chosen user name and group name.
Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.
1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.
2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.
3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-bin line.
4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.
5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.
I've coded a function to address the permissions issues in both of PHP / SuPHP and similar:
function realChmod($path, $chmod = null)
{
if (file_exists($path) === true)
{
if (is_null($chmod) === true)
{
$chmod = (is_file($path) === true) ? 644 : 755;
if (in_array(get_current_user(), array('apache', 'httpd', 'nobody', 'system', 'webdaemon', 'www', 'www-data')) === true)
{
$chmod += 22;
}
}
return chmod($path, octdec(intval($chmod)));
}
return false;
}
Maybe it's useful for you.
All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).
It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.
I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:
/var/www/htdocs - as the document root
/usr/local/php - for include files
Obviously if you intend running your webserver chrrot, these should be mapped accordingly.
All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.
I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.
1) does the files-extension (.php) means something to the server:
Yes - go read the PHP installation guide.
C.
Assuming your SFTP/FTP user is johndoe and web server group is www-data. johndoe only read, write the files but not execute the files (in my case never). The web server software usually Apache/Nginx from the group www-data can read/write/execute the files. Other users? what are they doing here???
So, I used to set 0670 (rw-rwx---) and works for me always :)
Set file permission to 0644 and folder permission to 0755.
I have coded a library for that.
Example of usage:
<?php
use MathiasReker\FilePerm;
require __DIR__ . '/vendor/autoload.php';
(new FilePerm([__DIR__])) // <-- root directory
->setDefaultModeFile(0644) // <-- file permission
->setDefaultModeFolder(0755) // <-- folder permission
->scan()
->fix();
Full documentation: https://github.com/MathiasReker/php-file-permissions