I have Ubuntu 16.04 with Apache2 and php7 on it.
I wan't to read some log files with php and print them.
Therefore I do a simple
readfile("/var/log/apache2/access.log");
But that does not work. I get this error:
Warning: readfile(/var/log/apache2/access.log): failed to open stream: Permission denied in /var/www/test.php on line 2
I'm quite sure I've set the permissions right, Apache and php runs as www-data, so I added the user www-data to the groups 'adm' and 'syslog', as these groups have read permissions for the whole file path and the file itself.
Permissions are 640 by default, but only if I set it to 647 for example, the file is readable for php/apache.Even 644 or 646 is not enough.
Why is that? Do I have to change something in the Apache vhost config?
Addition: ls -alp /var/log/apache2
drw-r----- 2 root adm 4096 Oct 25 11:07 ./
drwxr-xr-x 9 root syslog 4096 Oct 25 10:39 ../
-rw-r----- 1 root adm 47861 Oct 25 14:01 access.log
-rw-r----- 1 root adm 12014 Oct 25 14:01 error.log
-rw-r----- 1 root adm 0 Oct 25 10:40 other_vhosts_access.log
Since this is clearly a permissions error, ensure each parent folder leading to access.log definitely have the group set to either adm or syslog.
Each folder leading up to access.log must have at least a group permission of read and execute (g+rx) to allow PHP to descend into each sub-directory.
If I were you, I would change the apache config to write the file to a publicly inaccessible folder in your web root (since the log file is clearly essential in your application). This saves you from modifying system folder permissions which can be dangerous especially in web applications.
Related
Running Ubuntu 18.04, Apache/2.4.29, PHP 7.2.10.
I am unable to read/write into my mounted drives from PHP.
this is my sample code:
<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
$folder = '/media/superuser/HDD4TB_CRYPT/nextcloud_data';
var_dump(ini_get('open_basedir'));
file_put_contents($folder.'/x.txt', "AA");
echo file_get_contents($folder."/x.txt");
phpinfo();
This is output:
string(0) ""
Warning:
file_put_contents(/media/superuser/HDD4TB_CRYPT/nextcloud_data/x.txt):
failed to open stream: Permission denied in
/var/www/html/nextcloud/x.php on line 9
Warning:
file_get_contents(/media/superuser/HDD4TB_CRYPT/nextcloud_data/x.txt):
failed to open stream: Permission denied in
/var/www/html/nextcloud/x.php on line 10
these are folder details:
superuser#SuperTower:/var/www/html/nextcloud$ ls -al /media/superuser/HDD4TB_CRYPT/
total 28
drwx------ 4 superuser superuser 4096 feb 3 20:55 .
drwxr-x---+ 4 root root 4096 feb 2 00:06 ..
drwx------ 2 root root 16384 feb 1 22:49 lost+found
drwxrwxrwx 2 www-data www-data 4096 feb 3 21:29 nextcloud_data
I tried editing open_basedir, but this did not help to solve any issues, so I just commented it out. Therefore open_basedir has no value in phpinfo(). Folder is chowned to www-data (this is apache user) and also chmoded to 777.
/media/superuser/ contains folders with mounted drives on my PC. superuser is my username in Ubuntu.
Thanks for any ideas!
P.S.
I have also tried adding a symlink to my folder:
superuser#SuperTower:/var/www/html/nextcloud$ ls -al data
lrwxrwxrwx 1 www-data www-data 45 feb 3 21:05 data -> /media/superuser/HDD4TB_CRYPT/nextcloud_data/
and using
$folder = '/var/www/html/nextcloud/data';
but the results are exactly the same.
I also tried adding
<Directory /var/www/html/nextcloud/data>
Options +FollowSymLinks
Allow from All
</Directory>
no change in the resulting behavior :/
For some reason no matter what ownership/permissions I set on folder, /media/superuser is never accessible by www-data.
I edited /etc/fstab to mount drive into /opt/ folder and I chowned it to www-data user and group.
Works like a charm now.
My goal is to configure php profiling for local development website in Kubuntu 16.04.
Installed tideways according to docs and checked it's installed correctly with:
php --ri tideways_xhprof
Created header.php with following contents
<?php
tideways_xhprof_enable();
Added reference to it to php.ini
auto_prepend_file = "/home/user/pathto/header.php"
Restarted apache2
And getting the below errors in apache error log:
[Sat Jan 27 17:54:24.233604 2018] [:error] [pid 15976] [client
127.0.0.1:42054] PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0 [Sat Jan 27 17:54:24.233653
2018] [:error] [pid 15976] [client 127.0.0.1:42054] PHP Fatal error:
Unknown: Failed opening required '/home/user/pathto/header.php'
(include_path='.:/usr/share/php') in Unknown on line 0
Tried adding directive
php_value auto_prepend_file /home/user/pathto/header.php
to Directory block of the website in apache2.conf, but the same error pops.
What's wrong? What permissions are wrong?
Regards.
Linux uses a permissions model that incorporates users that can belong to groups, and files and directories that can be assigned to those users and groups. By default, when you install Apache and PHP on Ubuntu, you end up with a new user for Apache named "www-data". Anytime Apache runs and needs to access the file system, it is not unlike any other user, and the operating system requires the same permissions that it would any other user.
So technically, if you wanted PHP scripts in your user's home directory, you'd have to somehow give Apache's www-data user the permission to access files there.
When I set up a new server, I'll normally add myself to the www-data group:
# add user brian to the www-data group
sudo usermod -a -G www-data brian
This makes managing files easier for me (once I complete the next steps), as I don't need to use sudo to make changes to files.
I will let www-data own everything under /var/www
# Change all files at /var/www recursively to be owned by www-data
sudo chown -R www-data:www-data /var/www
Make it so new files created under /var/www end up being owned by www-data:
#set the gid on any new dir inside /var/www
sudo chmod 2755 /var/www/html
Then set myself as the owner, instead of www-data:
# Be the owner of all www
sudo chown -R brian:www-data /var/www
Notice that at no time was I giving permissions outside of /var/www, but this makes managing files and directories inside /var/www easier, so you don't feel the need to put PHP files in your home directory.
I know this question is asked a lot, but I can't seem to find the error why my symlinks sometimes aren't working.
I have two folders:
/home/user/domains/example.com/folder1
/home/user/domains/example.com/folder2
These are their permissions:
drwx--x--x 9 root root 4096 May 12 11:15 home
drwx--x--x 7 user access 4096 Feb 9 10:23 user
drwx--x--x 3 user user 4096 May 5 2014 domains
drwx--x--x 12 user user 4096 Jul 7 09:52 example.com
drwxr-xr-x 2 apache apache 4096 Jan 21 09:22 folder1
drwxrwxrwx 4 user user 4096 Jul 9 10:38 folder2
in PHP I create two symlinks:
symlink("/home/user/domains/example.com/folder1","whatever/folder");
symlink("/home/user/domains/example.com/folder2","whatever/folder");
Why is my symlink to folder1 working and my symlink to folder 2 not? I have been looking at it for hours now..
Edit:
Well, as my provider isn't of any help, I'd like to try a different solution: create a symlink and immediately change its owner. This, however, gives me an 'Operation not permitted' error. Any ideas on that?
Assuming the symbolic links were created successfully, folder2 most likely yields a permission error when Apache is configured to only follow symbolic links if the owner matches; you're looking for this specific configuration option:
SymLinksIfOwnerMatch
You could make Apache less rigid by using the following option instead:
FollowSymLinks
Alternatively, fix the ownership of the symbolic link target to make it work.
Try to delete both symlinks then 1) try PHP again and see if it persists and 2) logging in via SSH and create the same links using ln instead, for example
ln -s whatever/folder /home/user/domains/example.com/folder1
If that works, then it is probably a permission issue with the folder you are linking from or into, that the apache server / PHP cannot address
Does whatever/folder have enough permissions?
Remove folder1 and folder2 then Try
symlink("/home/user/domains/example.com/folder1.txt","whatever/folder");
Change the user group of folder2 from user:user to apache:apache
chown -R apache:apache folder2
The reason is because Apache needs the group permissions rather than a normal user.
My website creates files with owner apache:apache when uploading a file, like this:
drwxr-xr-x 2 apache apache 4096 Aug 28 14:07 .
drwxr-xr-x 9118 apache apache 233472 Aug 28 14:07 ..
-rw-r--r-- 1 apache apache 41550 Aug 28 14:07 468075_large.jpg
-rw-r--r-- 1 apache apache 26532 Aug 28 14:07 468075_medium.jpg
-rw-r--r-- 1 apache apache 50881 Aug 28 14:07 468075_original.jpg
-rw-r--r-- 1 apache apache 4316 Aug 28 14:07 468075_small.jpg
Now I am trying to create a file inside the same folder with the user that owns that domain in Plesk and I get permission denied.
How can I have both apache and shell user with permissions over that files?
Thanks.
You have to create a group and put your Plesk and Apache user in it. Than you have to chmod -R g+rwX on your files.
And set the default umask of your system to 002.
If that shell user is not apache but in the same group, you will need to make the folder group writeable.
chown 755 .
As it is right now it won't allow anyone other than apache to add a folder.
Or, you can try to use php to do fopen?
Thanks for the answers but I finally decided to run a cron job that will open a php script from the website using wget.
That way it's the same apache user that already has access to the files. I did this basically because I've got tons of files, about 300GB of images so it would take a lot I think to apply al the new permissions.
www#srv:/$ ls -lAh /data/
drwxrwxr-x 654 www www 20K Aug 21 00:01 history
ls -lAh /data/history/
drwxrwxrwx 19 www www 4.0K Aug 21 10:58 2012-08-21
So I have a directory 2012-08-21 and permissions seem to be OK...
PHP and Nginx both run as www:www for sure...
However...
Warning: mkdir(): Permission denied in /www/sites/mine/shop.php on line 366
string(57) "dir: /data/history/2012-08-21/1104-DAD2974M/"
If you are certain that your servers are running as www, then you need to check the permissions on /data/history/2012-08-21/. It may not permissions to allow creating a directory within it.
The permissions on the history directory are not enough to review, you have to look at the next level as well.