I understand the security implications of 777. This is just a troubleshooting measure.
Parent folder:
drwxrwxrwx. 3 web www-data 22 Jun 5 11:04 library
For good measure the immediate parent is also 777.
PHP is running as apache:
print shell_exec( 'whoami' );
Returns apache which is a member of the www-data group:
# groups apache
apache : apache www-data
The mkdir command fails:
mkdir("/var/www/html/library/temp__9pa2spj13nkiatknv8odqrv3n0");
Warning: mkdir(): Permission denied in /var/www/html/test.php
If I try to chdir to the directory first, I can getcwd() and it's correct. If I try to create the directory at that point if fails.
I'm out of ideas on what to test.
Here's my entire test script for good measure:
<?php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);
print shell_exec( 'whoami' );
mkdir("/var/www/html/library/temp__9pa2spj13nkiatknv8odqrv3n0");
chdir("/var/www/html/library");
echo getcwd();
mkdir("temp__9pa2spj13nkiatknv8odqrv3n0");
By default SE Linux should be configured to block writes to any files by the web server (Apache). The httpd_sys_content_t shows that the directory is set to read only. You need to set it to read/write by using the httpd_sys_rw_content_t context. This can be done using the semanage tool. The command would look like this.
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/library(/.*)?"
After you set that policy, you can apply it by doing...
restorecon -Rv /var/www/
Related
I want to use PHP to show some syslog info on a web page to remote monitor my home linux box.
I.e. some stuff filtered with grep out of /var/log/daemon.log
<?php
$output = `grep ddclient /var/log/daemon.log`;
echo "<pre>$output</pre>";
?>
Now the file /var/log/daemon.log is owned by root and the PHP user (www-data) has no access.
So obviously the above returns empty.
What's the solution?
Thanks,
Gert
This is a variant of Puggan Se's setuid solution, but a bit better IMHO.
Create a grep_ddclient.sh shell script, containing:
#!/bin/sh
grep ddclient /var/log/daemon.log
Then add the following to /etc/sudoers:
apache ALL=NOPASSWD: /path/to/grep_ddclient.sh
Then run sudo /path/to/grep_ddclient.sh from PHP
Alt 1:
change read access of the file /var/log/daemon.log so apache can read it.
Alt 2:
put grep ddclient /var/log/daemon.log in a shell file, and then activate the SETUID flag on it, and give apache the right to execute it
chown root:apache grep_ddclient.sh
chmod 550 grep_ddclient.sh
chmod +s grep_ddclient.sh
and then run grep_ddclient.sh from php
I have a function in PHP language to create an xml file when requested.
if(($file= fopen("./include/catalogo.xml", "w"))==false){echo 'non creo il file'; return false;}
"catalogo.xml" can't be created, permission denied. I know I should try to change permissions, but how can do this if the file doesn't exist? Or, are there things that I ignored?
I think you might be ignoring the permissions of the directory (./include).
I'm assuming you are running this PHP via a web-server and on Linux (like Apache for example) - in which case the user account that is trying to create the file will be 'apache' or 'www-data' (or whatever user your webserver is running under).
On your server - have a look at the permissions of ./include - you need to do one of two things:
a) make ./include world writable (so the 'apache' user can now create a file inside of it).
b) change the owner or group of the ./include to 'apache' so it can create a file inside of it.
Your PHP is fine - it's the permissions of the folder it is trying to create the file inside of that is not.
You have to change the ownership of the directory "include" and set it to the web server's user and set the permission to a reasonable value:
$ sudo chow www-data include
$ sudo chmod 755 include
If you don't know which user your web-server is running by you can open the include dir permissions world-wide:
$ sudo chmod 1777 include
after create the creation of catalogo.xml you check the include diretory:
$ sudo ls -al include
-rwxr-xr-x 1 http web 4096 May 5 15:37 catalogo-xml
Now you can change the ownership of the directory "include" and set it to the web server's user (http) and reset the permission to a reasonable value:
$ sudo chow http include
$ sudo chmod 755 include
See also the manual of chmod, chown and ls:
$ man chmod
$ man chown
$ man ls
If you use the terminal and go to the parent of folder your file will be created in, which is the parent of the include folder and type in the command:
chmod 777 include
This should change the permissions of this folder so you won't receive the permission denied error anymore. If you do try this command:
chmod -R 777 include
I am using a php script to call a backend python script.
<?php
error_reporting(-1);
$output = shell_exec("sh run.sh 2>&1");
echo "<pre>$output</pre>";
?>
The run.sh script is:
#!/bin/bash
wget http://markets.usatoday.com/custom/usatoday-com/html-mktscreener.asp
python hw7-9.py index.html
echo "done";
The output is
run.sh: wget: not found
run.sh: python: not found
done
If I run it normally from shell it works perfectly.
to try and fix the not found I did "which wget" and replace full path
/afs/cad/sw.common/bin/wget -O index.html http://markets.usatoday.com/custom/usatoday-com/html-mktscreener.asp
I get permission denied
What are the permissions of your php and your shell script?
I've used the same approach that you're using, successfully. Full ownership and attribute details below.
# ls -l
-rw-r--r-- 1 root root 2332 Jan 4 23:07 daily.php
-rwxr-xr-x 1 root root 232 Oct 30 22:43 get_stuff.sh
The user/group ownership on your system will vary. The read/write/execute permissions don't have to strictly match mine, either. But for reference, my setup is achieved via:
chmod 644 daily.php
chmod 755 get_stuff.sh
chown root:root *
i'm having problem writing to a text file using php. this might sound simple but i've set the file owner and group to apache/root, permission to 777 and i'm still unable to write to file. i'm running centos with php 5.3.8.
====================
New info
====================
semanage fcontext -l | grep httpd | grep rw
/var/lib/drupal(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/spool/gosa(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/lib/bugzilla(/.*)? all files system_u:object_r:httpd_bugzilla_script_rw_t:s0
/var/spool/viewvc(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
To allow the directory to be r/w, i used the chcon command to add the httpd_sys_script_rw_t type to the directory and anything under it:
chcon -R -t httpd_sys_script_rw_t <directory>
The -R flag makes the command recursive.
The -t flag sets the extended attribute on the file to the specified file context. In this case the httpd file context httpd_sys_script_rw_t which is used when:
you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
The appropriate file contexts to use for allowing HTTPd to write to disk (as well as booleans for other operations) are described in the httpd_selinux(8) man page.
I have recently installed FC13 and am attempting to write a mechanism in my PHP code that caches gathered data into a specific directory (for our purposes here, let's call it /var/www/html/_php_resources/cache).
I copy my files over to the /var/www/html directory and then run chown -R apache:apache /var/www/html/* and chmod a+w /var/www/html/_php_resources/cache on the new data. For right now I am just using the global write permission for convenience. I will tweak the permissions later.
When I attempt to use the chmod or mkdir PHP functions I wind up with:
Warning: chmod(): Permission denied in /var/www/html/_include/php/CacheInit.php
or
Warning: mkdir(): Permission denied in /var/www/html/_include/php/CacheInit.php
Now, when I disable SELinux everything works just fine. The problem is that I would prefer not to disable SELinux and actually get the permissions set up correctly so that I can port it over to servers where someone does not have such explicit control.
As an example: my personal site host allows me to set read/write permissions on directories but will not allow for SELinux policy changes.
FYI:
uname -r = 2.6.34.7-56.fc13
*php -version * = PHP 5.3.3
rpm -qa | grep httpd = httpd-2.2.16-1.fc13
Does anyone have any suggestions?
I had the same problem, trying to mkdir from php. Not so much information on google but this is what I found and I guess this is the correct solution. One have to label the dir in which apache should create directories.
Label should be "httpd_sys_script_rw_t" and I found that info here: http://docs.fedoraproject.org/en-US/Fedora_Core/5/html/SELinux_FAQ/index.html#id672528
Here's how to label the dir: chcon -R -t httpd_sys_script_rw_t <dir>
Reference somewhere here: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0017.html
Hope this help someone out there.