I can't run command line script from Exec
$exec = exec($command, $output, $return );
I have tried passthru,shell_exec,system but obviously this is not the problem.
sudo chown -R www-data:www-data /root/path/nonce.py
sudo chmo 775 /path/nonce.py
sudo chmo 777 /path/nonce.py
sudo chmo 755 /path/nonce.py
didn't helped
exec("python -V 2>&1");
works
But
/usr/bin/python /root/path/nonce.py
Array ( [0] => /usr/bin/python: can't open file '/root/path/nonce.py': [Errno 13] Permission denied )
dosent
running on nginx and php5-fpm
You need to consider the permissions for each directory on the path to the Python script. This means:
/root
/root/path
/root/path/nonce.py
The permissions for the root account are naturally restricted. If you look a root's home directory:
$ ls -ld /root
dr-xr-x---. 9 root root 4096 Aug 20 23:50 root
You will see that only the root user, and users within group root, can read or list the contents of /root.
It's a bad idea to place your script in root's home. There are more appropriate places such as /var/www/cgi-bin assuming that your script is a CGI script. On my system:
$ ls -ld /var/www
drwxr-xr-x. 4 root root 4096 Jul 17 17:22 /var/www
$ ls -ld /var/www/cgi-bin
drwxr-xr-x. 2 root root 4096 Jul 17 17:22 /var/www/cgi-bin/
which can be read and listed by any user. You should install the script in a directory appropriate for nginx.
one of the directories on the path probably lacks r permisison for the relevant user - most likely /root
can you move the python script to a dir that is world readable?
Related
I am trying to self host a PHP script called sngine. (facebook clone)
When trying to install it I get an error:
config.php - Required includes folder to be writable for the installation
when I run ls -l I get this: drwxrwxrwx 5 mbeck mbeck 4096 Aug 25 23:00 includes
I don't know why it is saying that it's not writable.
The script is in var/www/{domain name}/
I am on Apache/2.4.41 (Ubuntu) and PHP version: 7.4.22
EDIT:
I found someone saying to run chown www-data:www-data <directory> So I did, and permissions now return drwxrwxrwx 5 www-data www-data 4096 Aug 25 23:00 includes and the error is still there.
Ok, I found it!
I had to run sudo chown -R www-data /var/www/example.com/mydomain/includes/
Now it works!
I'm trying to read a file in PHP and I'm getting a permission denied error although everybody has read access to the file.
The PHP code:
$config=file_get_contents('/opt/jenkins/home/config.xml');
The error:
Warning: file_get_contents(/opt/jenkins/home/config.xml): failed to open stream: Permission denied in [...]
The filesystem permission:
There is a symlink pointing /opt/jenkins/home/ to /var/lib/jenkins and everybody has read permission on the symlink, actual folder, and file.
$ ls -lh /opt/jenkins/
lrwxrwxrwx 1 sysadmin sysadmin 16 2011-08-04 08:12 home -> /var/lib/jenkins
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
$ ls -lh /var/lib/jenkins/config.xml
-rwxr-xr-- 1 jenkins adm 3.9K 2011-08-04 10:05 /var/lib/jenkins/config.xml
Apache configuration
Configured to folllow symlinks (Options All). Adding a Directory directive for /var/lib/jenkins/ makes no difference.
<Directory /opt/jenkins/home/>
Options All
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
Additional info
Whether I use the path through the symlink ("/opt/jenkins/home/config.xml") or the real path ("/var/lib/jenkins/config.xml") I have the same problem.
apache2 version=2.2.14-5ubuntu8.4
php version=5.3.2-1ubuntu4.9
Any idea as to why I'm getting the error?
Your directory needs execute permission for this to work. It does not seem to have world execute, and since jenkins is probably not the apache user, and the apache user is not in the adm group, it wouldn't work:
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
Per example:
netcoder#netcoder:~$ mkdir foo
netcoder#netcoder:~$ echo hello > foo/bar
netcoder#netcoder:~$ chmod 777 foo/bar
netcoder#netcoder:~$ ls -lsah foo/bar
4.0K -rwxrwxrwx 1 netcoder netcoder 6 2011-08-04 08:22 foo/bar
netcoder#netcoder:~$ chmod 444 foo/
netcoder#netcoder:~$ ls -lsah | grep foo
4.0K dr--r--r-- 2 netcoder netcoder 4.0K 2011-08-04 08:22 foo
netcoder#netcoder:~$ cat foo/bar
cat: foo/bar: Permission denied
Even though foo/bar has 0777 permission, if the directory does not have the execute permission, reading its contents is denied.
You'll need the permission to be set for both the target directory and the symbolic link.
You need the execute bit set on all directories in the hierarchy up to that file.
chmod o+x /var/lib/jenkins
should do the trick.
(Note: ls -lhd /var/lib/jenkins is a bit better than ls -lh ...|grep jenkins)
Lots of modern boxes (digital ocean, rackspace etc) ship with SELinux (Security Enhanced Linux) for RedHat compatible OSs (like CentOS). This throws another wrench into the works which you need to keep in mind. You can have your permissions perfectly set and it will still say permission denied. You need to define a writable context for SELinux:
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite -R
Most likely your apache user is not allowed to read or access the web files
Check what user is apache running as:
$ ps aux | grep [a]pache
root 40283 0.0 0.2 472548 21116 ? Ss 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40287 0.0 0.1 472760 8800 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40288 0.0 0.1 472760 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40289 0.0 0.1 472776 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
Check the path ownership of your web files:
$ namei -mol /home/john/app2/
f: /home/john/app2/
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ john john john # <== Ahaa, no access for apache user!
drwxr-xr-x john john john app2
Adjust permissions accordingly:
Well in this step I will leave it up to you, you can either (a) the make apache user 'john' in this example. Or you could (b) move the web folder to a place outside home. Where the execute access can be given to the group or to even others without breaking security good practices.
a. Make apache user john (ONLY FOR DEV SITES or if you know what you are doing)
sudo vi /etc/apache2/envars
# replace
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# with
export APACHE_RUN_USER=john
export APACHE_RUN_GROUP=john
b. Move that folder out of home... what is it doing there anyways?
sudo mv /home/john/app2 /var/www/
Remember to change the site to match this directory and to restart the apache server.
Here are some references:
https://wiki.apache.org/httpd/13PermissionDenied
http://wiki.apache.org/httpd/FileSystemPermissions
After installing everything on Ubuntu Server 16, my testfile shows that HHVM is not started.
At the same time sudo service hhvm status tells me that the status is active (exited) and that it cannot open /var/log/hhvm/error.log
restarting the server gives no errors but i can not get HHVM completely up and running.
The testfile is a simple if/else PHP file in var/www/html like the following.
<?php
if (defined('HHVM_VERSION')) {
echo 'hhvm is working';
} else {
echo 'hhvm is not working' ;
}
?>
Where does this status come from(i already found it might have something to do with the daemon, but i can start the daemon without issues) and how can i fix it?
I already tried the few solutions that i could find, but without succes. :( I am using HHVM with Apache.
edit in response to #hanshendrik
Thanks, your top command shows the first 2 results being equal to the example. then drwxrwxr-x root syslog log and for hhvm: no such file or directory. So i made the hhvm folder and changed the group to www-data. It has drwxr-xr-x rights and the error.log has -rw-rwxr-- rights. However, the problem is not yet solved. It doesn't give the warnings anymore but still says active(exited)and shows that the HHVM fastcgi Daemon started
Edit, partially solved
My testsite still says HHVM is not working though... :(
probably a permission issue, first run sudo su name-of-account-hhvm-is-started-as-here -s /bin/bash (for example, sudo su www-data -s /bin/bash) then run namei -l /var/log/hhvm/error.log, and the point where it fails should be revealed. for example, the output might be
namei -l /var/log/hhvm/error.log
f: /var/log/hhvm/error.log
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root log
drwx------ root www-data hhvm
error.log - No such file or directory
here, because the owner is root, and only the owner has execute permissions on the folder, only the owner (root) can open any files inside it, and the fix would be chmod g+x /var/log/hhvm. or the output might be
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root log
drwx--x--- root www-data hhvm
-rw-r--r-- root www-data error.log
here, owner and group has execute permissions on the folder, but only the owner has write access to error.log, and the fix would be chmod g+w /var/log/hhvm/error.log,... good luck
I have two directories in /var/www:
root#user:/var/www# ls -l
drwxrwxrwx 2 root root 4096 Июл 14 17:59 first
drwxrwxrwx 2 root root 4096 Июл 14 18:00 second
with exactly the same php scripts:
root#user:/var/www# ls -l first/
-rwxrwxrwx 1 root root 20 Июл 14 16:37 info.php
root#user:/var/www# ls -l second/
-rwxrwxrwx 1 root root 20 Июл 14 16:37 info.php
info.php:
<?php
phpinfo();
?>
But from the first/ directory Apache opens script, from the second/ pulls error:
( ! ) Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
( ! ) Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
( ! ) Fatal error: Unknown: Failed opening required '/var/www/second/info.php' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0
What can be a reason?
Directory config:
DocumentRoot "/var/www"
<Directory "/var/www">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
You need to change the owner of the two folders from 'root' to apache.
Try sudo chown -R [yourusername]:www-data /var/www
This should help.
There are number of things to try here
1) What folder has your .htaccess?
2) The error you provides hints that php would look for scripts in include_path='.:/usr/share/php:/usr/share/pear'
This points that the script is to be present in the following paths only.
3) You may want to check if ls -Z may reveal the difference in the security context of the directories.
Sometimes SeLinux Context is the thing you need to set. In this case:
ls -lZ
if you got something like
rw-r--r--. root root unconfined_u:object_r:etc_t:s0
OR
drwxr-xr-x. root root system_u:object_r:etc_t:s0
You need to run
chcon -R -t httpd_sys_content_t /var/www
Then you will have
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/
Something like this
Try this:
sudo chmod -R 755 /var/www
sudo chown -R www-data:www-data /var/www/
sudo service apache2 restart
The group is root probably thats the issue
You could also have tried:
sudo chown -R apache:apache /var/www
I'm trying to read a file in PHP and I'm getting a permission denied error although everybody has read access to the file.
The PHP code:
$config=file_get_contents('/opt/jenkins/home/config.xml');
The error:
Warning: file_get_contents(/opt/jenkins/home/config.xml): failed to open stream: Permission denied in [...]
The filesystem permission:
There is a symlink pointing /opt/jenkins/home/ to /var/lib/jenkins and everybody has read permission on the symlink, actual folder, and file.
$ ls -lh /opt/jenkins/
lrwxrwxrwx 1 sysadmin sysadmin 16 2011-08-04 08:12 home -> /var/lib/jenkins
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
$ ls -lh /var/lib/jenkins/config.xml
-rwxr-xr-- 1 jenkins adm 3.9K 2011-08-04 10:05 /var/lib/jenkins/config.xml
Apache configuration
Configured to folllow symlinks (Options All). Adding a Directory directive for /var/lib/jenkins/ makes no difference.
<Directory /opt/jenkins/home/>
Options All
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
Additional info
Whether I use the path through the symlink ("/opt/jenkins/home/config.xml") or the real path ("/var/lib/jenkins/config.xml") I have the same problem.
apache2 version=2.2.14-5ubuntu8.4
php version=5.3.2-1ubuntu4.9
Any idea as to why I'm getting the error?
Your directory needs execute permission for this to work. It does not seem to have world execute, and since jenkins is probably not the apache user, and the apache user is not in the adm group, it wouldn't work:
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
Per example:
netcoder#netcoder:~$ mkdir foo
netcoder#netcoder:~$ echo hello > foo/bar
netcoder#netcoder:~$ chmod 777 foo/bar
netcoder#netcoder:~$ ls -lsah foo/bar
4.0K -rwxrwxrwx 1 netcoder netcoder 6 2011-08-04 08:22 foo/bar
netcoder#netcoder:~$ chmod 444 foo/
netcoder#netcoder:~$ ls -lsah | grep foo
4.0K dr--r--r-- 2 netcoder netcoder 4.0K 2011-08-04 08:22 foo
netcoder#netcoder:~$ cat foo/bar
cat: foo/bar: Permission denied
Even though foo/bar has 0777 permission, if the directory does not have the execute permission, reading its contents is denied.
You'll need the permission to be set for both the target directory and the symbolic link.
You need the execute bit set on all directories in the hierarchy up to that file.
chmod o+x /var/lib/jenkins
should do the trick.
(Note: ls -lhd /var/lib/jenkins is a bit better than ls -lh ...|grep jenkins)
Lots of modern boxes (digital ocean, rackspace etc) ship with SELinux (Security Enhanced Linux) for RedHat compatible OSs (like CentOS). This throws another wrench into the works which you need to keep in mind. You can have your permissions perfectly set and it will still say permission denied. You need to define a writable context for SELinux:
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite -R
Most likely your apache user is not allowed to read or access the web files
Check what user is apache running as:
$ ps aux | grep [a]pache
root 40283 0.0 0.2 472548 21116 ? Ss 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40287 0.0 0.1 472760 8800 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40288 0.0 0.1 472760 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40289 0.0 0.1 472776 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
Check the path ownership of your web files:
$ namei -mol /home/john/app2/
f: /home/john/app2/
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ john john john # <== Ahaa, no access for apache user!
drwxr-xr-x john john john app2
Adjust permissions accordingly:
Well in this step I will leave it up to you, you can either (a) the make apache user 'john' in this example. Or you could (b) move the web folder to a place outside home. Where the execute access can be given to the group or to even others without breaking security good practices.
a. Make apache user john (ONLY FOR DEV SITES or if you know what you are doing)
sudo vi /etc/apache2/envars
# replace
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# with
export APACHE_RUN_USER=john
export APACHE_RUN_GROUP=john
b. Move that folder out of home... what is it doing there anyways?
sudo mv /home/john/app2 /var/www/
Remember to change the site to match this directory and to restart the apache server.
Here are some references:
https://wiki.apache.org/httpd/13PermissionDenied
http://wiki.apache.org/httpd/FileSystemPermissions