File ownership of created files - php

I have 2 php applications running on my server and the files within these applications are owned by 2 users (user1 and user2)
The ownership of the files look like this user1:www-data and user2:www-data. I assign www-data as group so my php application can easily write to the files when the permission is set to 775.
So I set all file permissions to 755 and 775 (for files that have to be written to).
Everything good so far, the only problem is that when my php application created a file it sets the ownership to www-data www-data which is not what I want. I want php to set the permission to iether user1:www-data or user2:www-data depending on which application it is.
I am using Nginx 1.6.3 and php 5.5.24 with php-fpm.

You could set the setgid flag on the directory where the files are being saved.
setgid will cause files saved in that directory to be owned by the same group as the directory itself
chmod g+s directoryname

Related

Ubuntu Add/upload folder permissions

i'm hosting a simple php Script wich create folders and upload images , it has a simple admin page (serverip/admin) .
i tested the scripts in my local server and it works perfectly , but in my server it doesnt and i believe its a permissions issue .
my /var/www/ folder permissions :
root#WallApi:/var/www/html# ls -l
total 8
-rw-r--r-- 1 root root 1 Jul 13 00:56 index.php
drwxr-xr-x 7 root root 4096 Jul 13 00:55 Script
root#WallApi:/var/www/html#
i have no group users i simply want to be able to upload / create etc using the script
if you are using LAMP you should change the permission owner to apache user or change permission to 777.
1) Change owner
chown -R apache:apache /var/www/html
2) Change perssmion ( not recommend)
chmod -R 777 /var/www/html
p/s update
The permissions on this folder are:
chmod 755 /var/www/
and the files inside the folder are:
chmod 644 /var/www/file
The default permission for /var/www itself is a pretty standard one: owner root:root and mod 755.
As for anything inside /var/www, that is one of the rare directories where you have the privilege of deciding for yourself what to put in it and what permissions everything in it should have. But what makes the most sense is:
Most files should be writable by whichever user or group is going to be writing to them most. You can set them to be owned by your user account. Or set up a custom group for your developers. Or if the files will be modified rarely and you want good security, you can go with root:root and just sudo in on the rare occasions they'll be modified.
Most files should not be world-writable. So, 644 for files, and 755 for directories is appropriate (or 664 and 775 if you want to give a group write access).
It is not recommended to set any of it to be writable by the web server, ie www-data, except for any specific files your web scripts to be able to write to. If so, it's better to set the user or group of those files to www-data than to make them world-writable. Note that any time the www-data user can write to any file within the web root, whether it's by setting the user or group on those files, or making them world-writable, it's a potential security problem. World-writable is just the worse of the two.

What is "make sure the owner of the folder is the Apache user (mostly it is www-data)"?

I have a PHP script application installed on a cloud server.
One of the function is the "PDF Preview", which is currently not working properly.
I contacted the PHP script owner, and he asked me to make sure:
1. dompdf/lib/font/ folder has write permissions (777)
2. the owner of the folder is the Apache user (mostly it is www-data)
For the 1st one, I tried to change the directory permission directly in the FileZilla interface. But it always changes back to 775 after I refresh...
For the 2nd one, I have no idea what it means... I contacted the technical support of my cloud server service. He said it's an App related issue, not server.
Can anyway give me some direction please? Should I use SSH? or anything else?
Really appreciated your help...
Erin
If you have SSH access, it is easier.
1) SSH in and CD into your web directory (likely public_html)
2) run the command chmod -R 777 dompdf/lib/font/
However permission 755 is likely fine...
3) Run ls -l. It will likely look like this:
-rw-r--r-- 1 erin erin 395 Aug 21 2013 index.php
The first 'erin' is the user and the second 'erin' is the group.
There may be other files that have the correct group (such as www or apache). Try and match other files in the public_html directory:
To change the owner: chown apache dompdf/lib/font/
To change the group: chgrp apache dompdf/lib/font/
If you're on shared hosting you might not have access to do this. I'm guessing it's more likely a path or configuration issue than a permissions issue, but give this a shot.
As far as I know you cannot change the owner of a file/directory via FTP. You can via SSH.
The command to change file permissions:
chmod 777 filename.php
To change a directory's permissions:
chmod -R 777 dirname/
To change the owner of a file:
chown www-data filename.php
To change the owner of a directory:
chown -R www-data dirname/
To change the group of a file:
chgrp www-data filename.php
To change the group of a directory:
chgrp -R www-data dirname/
Make sure you are in the file's directory when changing file permissions and ownership with the above commands. Otherwise you'll have to update the path.
If you are updating directories, be sure to be above the directory you wish to update.
Hope this helps.
P. S. To view the current permissions / owner / group of a file or directory, use the ls -la command.
Do not use the database user as the UNIX user. Use www-data.
sudo chown -R www-data:www-data /var/www
There is a difference between the database user and the Apache user. The Apache User is the only one who can actually read the files. The database user is only meant for giving/taking database read/write permissions.
In addition, keep the default permissions from the webapp install. Do not change those, except for the owning user/group. If you are instructed by the webapp, change permissions.
If you are more concerned about security, you could instead run the following commands:
sudo chown -R $USER:www-data /var/www
sudo chmod -R 640 /var/www
This makes the actual files owned by your user, so that only you (and root) can modify them. The reason www-data is referenced is so that Apache can still READ the files, but not actually write to them.
The 640 allows you (the file owner) to read and write, while allowing the www-data group to read files. It also blocks anyone else from possibly reading the file contents.
(The above is only one possible (untested) method. More good ways are available here.)

Give Server Write Access To Folders

I'm hosting a LAMP EC2 instance via Amazon AWS.
Part of my website allows users to upload files. Unfortunately, the server is not able to store permanent copies in the "uploads" folder because it is lacking necessary permissions.
A PHP script is called that will store a file to the "uploads" folder. The upload will fail while the upload folder has standard 755 and 775 permissions. However, when i change the folder permissions to 777 (world permissions), it works.
For obvious reasons, I don't want to use 777 world permissions. How can i make it so that the server has permission to write files to the "uploads" folder?
Thanks guys.
This might be an issue with the Ownership of the upload folder.
The ownership of the folder can be checked by the following command
ls -l
Sample Output:
-rw-r--r-- 1 root root 0 Aug 31 05:48 demo.txt
.
Here it can be seen that the both the USer of the File is root and the Group of the File is root.
Executing this command inside a directory will show the permissions and ownership of all the files and folders in that folder.
Now with LAMP stack you need to make sure the ownership will be with the
Apache User i.e. www-data and Apache Group again www-data.
This can be done by going in the root folder of your application and and executing the Command
chown -R www-data:www-data
Sample Output:
-rw-r--r-- 1 www-data www-data 0 Aug 31 05:48 demo.txt
This will recursively change the ownership of all the files and folders inside the Root Directory to the Apache User and Group.
The Common cause of this issue is when you have downloaded the package or files , you have obviously done it as a local or root user and Apache is not having permissions to do it. Or you have created a directory manually.
This is the basic idea to solve the issue, you also just might want to consider to execute this command and change the ownership of just your "uploads" directory .

php apache on linux

My PHP application and all the files are owned by www-data however I am currently logged in to the server using my username ruser. I'm developing on the same machine so everytime I want to test changes to my php code I have to go back and forth between file owners.
Is this the best practice or is there a different way I can set this up to make my development smoother?
Make your user part of the www-data group, or make the www-data user part of your group. Then give group access to your files:
usermod -a -G www-data yourusername
In terms of best practice, you should be developing on a different machine anyway. Then deploy your code and use scripts to set up whatever secure configuration is right for your project.
There are a few options open to you.
1) You can change all the files to the www-data group while keeping them owned by you
from your site's root directory run:
chmod -R ruser:www-data ./*
2) The best method is to set up an ACL if your distribution supports it: http://bit.ly/Lat25d
3) Or the simplest method (on a dev machine only - don't do this on a live server) is to chmod everything to 777 from the site's root directory
chmod -R 777 ./*
You can change the files to be owned by any user, i.e use the following command: chown username:groupname file.php
Only require Apache to own the files if Apache is going to write to the files or overwrite the files.
So change the ownership to the FTP user to avoid constant ownership changes.

How to upload a file to a folder without 777 permission?

I want to upload a file to a folder which has not 777 permission. How can i do this using php?
You could set up the directory on the server to be either:
1) owned by the user running the web server process and allowed user write access
or
2) be a part of the group that the user running the web server process is in and allowed group write access
For example, if the you are running apache2 and it is owned by www-data in the group www-group, you would set your directory:
chown www-data directory
chmod u+w directory
or
chgrp www-group directory
chmod g+w directory

Categories