I think I'm misunderstanding something fundamental about file permissions in an OpenShift PHP app. How do they actually work?
I develop on OSX and push changes using SourceTree. When I log in to the app via an SFTP program (Cyberduck) the index.php file shows its permissions set to 600, yet visitors can view it OK in a browser.
This surprises me, as I thought the file would require permissions of 644 to be browsable (like an Apache webserver).
On OpenShift, it seems as though file permissions 600, 640 and 644 are all equivalent. Is this correct, or am I doing something wrong?
Related:
My OpenShift app has a cgi-bin folder containing a cgi program that should only be executed (called) from a PHP file. In other words, any PHP script should be able to call this cgi program, but a visitor attempting to browse to the cgi-bin folder directly should not.
I set both the cgi-bin folder and cgi program file permissions to 700 (so only the 'owner' has read/write/execute set, and no permissions are granted for 'group' and 'others'). However visitors can still browse to the program URL directly and execute it (e.g. www.example.com/cgi-bin/program.cgi) - as if the permissions were 777. How do I solve this?
I think you are used to a system where one user owns the files being served, and the web server runs as another user, but since the files owner (your user account that is that big long hash) is also the owner of the process that runs the web server on OpenShift, then it is using the "6" part of the permissions, so it makes sense that the other two digits that you add don't make a difference. If there is a script that you don't want web accessible, but that you want PHP to be able to execute, then you should place it outside of your web directory that contains your php files. The easiest way to do that would be to create a "php" folder in your repo, and put your files inside of it that need to be web accessible. That will change your documentRoot to that php directory, and you can put your script one level above that so users can't execute it with a web request.
Related
What permissions do I need to set up on a directory in order to make it writable by php?
By "writable", I mean copying and creation of new files within that directory automatically by php itself.
I'm testing this on a free host, and the default permissions are 755.
When I try executing a php script, that attempts to create another subfolder of that directory, and copy certain files in it, and it fails.
If I set it up to 777, it works fine, but I assume that doesn't work on all Apache versions because of security reasons?
Also, when creating new files, does php act as the "owner"?
Whatever process that runs the PHP interpreter should should have a user account associated with it. Only that user needs write permission in the directory. So to answer your last question, it's usually www-data or apache that is the owner of that file.
Permission of 777 will work because it allows everyone to read, write and execute that directory but depending on your application this might be a security hole.
I've just bought a VPS for testing purposes trying to learn how to use it etc.
I've setup apache/php and running a script which PHP creates folders. Ive tried setting the script to chmod it to 0755 but it still doesn't let me delete the folder.
I can't chown/chgrp as im not running the script as root.
I just need to be able to delete the folder with PHP, Is there a config file i can change so PHP creates folders with a different user group?
Thanks
Your folder is created by your script, that usually runs with the apache or web user. So you can't manipulate it as yourself (in an FTP for example).
What you can do is change the mode within your script (still running as apache or web user) like so:
<?php
chmod("/somedir/somefile", 0777); // octal; correct value of mode
?>
I have an Apache server installed which exposes a website written in PHP that I have been working on. One of the functions of the website is to insert new data into a MySQL database. When data is to be inserted the user presses a link which in turn calls a PHP script which contains a line like this
$script_return = exec('python some_script.py);
the python script generates a number of files in the root of the root directory of the site. After creation of these files the script names them after a specific system and moves them to subfolders (via shutil). When I run the script manually everything works fine. When I, however, try to run is from the website the files are created but they are not moved. Both the .php script and the .py script have 777 right and belongs to the www-data group but it still does not work.
Any help would be appreciated.
It sounds like the www-data user may not have the right permissions in your destination folders. If Apache can create the files, it should have rights to move the files.
Why not create the files directly in the location that you want them? That will also give you a more specific error about what's going wrong.
You could also have the python script write a log file somewhere that you can check after.
Once you've got it sorted, I would recommend removing 777 permissions.
This question is related to another question I wrote:
Trouble using DOTNET from PHP.
Where I was using the DOTNET() function in PHP to call a DLL I had written.
I was able to get it working fine by running php.exe example.php from the command line (with the DLL's still in the PHP folder).
I moved the php file to an IIS 7 webserver folder on the same machine (leaving the DLLs in the same php folder), but I keep getting a 500 internal service error.
I've checked the server logs (in c:\inetput\logs\ and in c:\windows\temp\php53errors) but there doesn't seem to be any relevant information about what caused the error. I even tried to change the php.ini settings to get more error feedback, but that doesn't seem to help.
I can only guess that the issue may be related to:
that php file not having the proper permissions (my dll does some file reading/writing)
php can't find the DLLs
The actual error I get is:
The FastCGI process exited unexpectedly.
Any idea on how to debug this problem?
The problem here is almost certainly related to file permissions.
When you run php.exe from the command line you run as your own logged-in user. When running a PHP script from IIS, in response to an http request, php.exe runs as a different user. Depending on your version of Windows it could be
IUSR_machine - on IIS6 and prior
IUSR on IIS7 and later
These users need permissions on the php file to be executed.
Read more about it
On IIS7 and later I use a command-line tool called icacls.exe to set the permissions on directories or files that need to be read by IIS and the processes it starts (like php.exe). This security stuff applies to all IIS applications: PHP, ASPNET, ASP-classic, Python, and so on.
IIS also needs to be able to read static files, like .htm, .js, .css, .jpog, .png files and so on. You can set the same permissions for all of them: Read and Execute.
You can grant permissions directly to the user, like this:
icacls.exe YOUR-FILE-GOES-HERE /grant "NT AUTHORITY\IUSR:(RX)"
You can also grant permissions to the group, to which IUSR belongs, like this:
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(RX)"
In either case you may need to stop and restart IIS after setting file-level permissions.
If your .php script reads and writes other files or directories, then the same user needs pernissions on those other files and directories. If you need the .php script to be able to delete files, then you might want
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(F)"
...which grants full rights to the file.
You can grant permissions on an entire directory, too, specifying that all files created in that directory in the future will inherit the file-specific permissions set on the directory. For example, set the file perms for the directory, then copy a bunch of files into it, and all the files get the permissions from the parent. Do this with the OI and CI flags (those initials stand for "object-inherit" and "container-inherit").
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
copy FILE1 DIRECTORY
copy FILE2 DIRECTORY
...
When I want to create a new vdir in IIS, to allow running PHP scripts, or ASPX or .JS (yes, ASP Classic) or Python or whatever, I do these steps:
appcmd.exe add app /site.name:"Default Web Site" /path:/vdirpath /physicalPath:c:\docroot
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
Then I drop files into the directory, and they get the proper permissions.
Setting the ACL (access control list) on the directory will not change the ACL for the files that already exist in the directory. If you want to set permissions on the files that are already in the directory, you need to use icacls.exe on the particular files. icacls accepts wildcards, and it also has a /t switch that recurses.
I'm working on an upload script for students in my lab class to upload their assignments to a folder inside my home directory. The problem is that the script is run under the user apache and any directories and files created by the script end up owned by that user. In addition the permissions of the folder I wish the files to end up in have to be set wide open so that apache can create directories and move files into it (which of course will still be owned by apache).
I'm trying to replace an old script provided by the department which, among other problems, has about 5 different use cases where the student can receive a confirmation when the file wasn't actually uploaded. That script does use chown apparently without any of the problems PHP has. Perhaps the python interpreter runs with different access setting that the PHP one does.
What tactics are there for handling this?
There's a few ways to cope with this, but the most benign that I can imagine is to dedicated a sub-directory in your home directory for the purpose of uploading assignments.
All you have to do permissions wise is give the directory group ownership by some group the apache user belongs to. Suppose the webserver user is apache, and furthermore there is a group apache said user is a member of. You could also create a common group for this purpose that you and apache are part of.
Now let's say the directory you want to put the uploaded files in is ~/homework-submissions
As yourself
mkdir ~/homework-submissions
chgrp apache ~/homework-submissions
chmod g+a ~/homework-submissions
With this arrangement in place newly created files will be owned by apache:apache, but the webserver should have no problem changing ownership at this point.