I want to make and remove directories, and files with a php script
example:
<?php
if (!is_dir('examples')) {
mkdir('examples');
}
?>
But I get permission denied. How can I allow this one script to run these commands?
I have tried chmod 777 mkdir.php and chmod +s mkdir.php
which got rid of the Permission denied meaage, but It still doesn't create the folder.
how can i get mkdir() and or rmdir() php function to work?
Please note, I am not using php as a shell script.
Probably just chown to the user.
(I just came to put an answer here to mark 'answer found')
Original text:
777, if the user www-data isn't the owner of the parent directory or not in the same group as the owner. Usually it would be 775, tho.
Credit to Charlotte Dunois
Related
So I have a PHP file located in /var/www/html/test.php and I have it run the code shell_exec('touch /home/pi/Desktop/test_file')
However, the webpage displays fine but when I check the apache log files, I always get permission denied. I understand that apache is running as www-data user and my main user pi probably have some permission clash (I'm new to this stuff).
I tried many options I found on-line, the most promising was here, which suggested I run the commands:
sudo chown -R pi:www-data /home/pi/Desktop
sudo chmod -R g+s /home/pi/Desktop
...but I still get permission denied. Can anyone please suggest what permissions I may need to still configure? I want to ensure security, but at the same time need my PHP file to be able to create new files. I used the Desktop as an example directory, but really I don't care which directory, I just need a directory. I tried touching a file within /var/www/html, but that was permission denied as well. Thanks!
if your apache process is running as www-data, and the file ownership is pi:www-data, you probably need to run this chmod:
sudo chmod -R g+w /home/pi/Dekstop
First, setting the group as www-data won't matter if the files are not group writable. Mode 755 will ensure apache can read the files, but the www-data user would still not be able to write.
Secondly, using "g+w" adds group write without messing with any of the other bits. [644 becomes 664, and 755 becomes 775)]. This way you can safely adjust permissions recursively, without making files executable that shouldn't be.
Incidentally, sudo chmod g+s ... is probably not what you want. That will instead set the sgid bit, and not the group write bit.
First of all, why the heck are you using shell_exec to create a file? PHP has it's own touch() function that will do that for you. You can also create files just by opening a nonexistent file using certain modes (ie, fopen("myfile", "w"))
Using exec to create your files is surely messing with your permissions.
You need to find out which user PHP is running as and chown to that user. You can find that out by running get_current_user().
Then you need to change the permissions with chmod. There's an example in the comments so I won't repeat it. Good luck. Stop using shell_exec.
I am using the following code to upload and move a file to the folder "film_images":
$filepath = '../images/film_images/';
echo '<br />Trying to store file at ' . $filepath;
if (!move_uploaded_file(
$_FILES['teaserimage']['tmp_name'],
sprintf($filepath . '%s.%s',
'test',
$ext))) {
throw new RuntimeException('Failed to move uploaded file.');
}
However, as many people here, I always got a
Failed to open stream: Permission Denied
exception in PHP. Then I went to the server and, using the setfacl command I gave permission rw- to the user www-data, which is the user running this PHP script. Using rw- I still got the exception. Only when I switched rights to rwx, i.e. when I gave www-data full control on this folder, it worked. Now I wonder two things:
Why is it necessary to give the user execution rights in order to write a file?
Is there a way to write the file without giving execution rights to the user? I fear that somebody might upload code, hidden in an image file, and execute it on my server.
You need set default permission on folder if create new files, first chmod it: chmod g+s images/film_images //set permission what you need
second you need set default permissions on create files/folders:
setfacl -R -d -m group:www-data:rwx /path/to/your/dir //set permission what you need
Okay, I think I figured it out. Thanks Paulius S. and his answer, which got me on the right track.
The folder ist owned by me. First, following the answer to this post, I use
chmod g+rwxs dirname
to ensure that files created in the directory are owned by the group I belong to. In particular, www-data is not part of this group. Then using
setfacl -m u:www-data:rwx dirname
I give full access to the directory to the user www-data. Now www-data can upload a, but this file automatically belongs to the group set above (which www-data does not belong to) and hence www-data has no execution right, although he can execute in the folder in general.
I'm trying to upload a user's photo using a simple HTML input form, but I'm getting the following error. I've set the permissions of my upload folder to 755. I tried 777 and that works, but I've read that setting it to 777 is not advised and that I should be able to use 755?
Warning: move_uploaded_file(uploads/2014_08_21_11_03_14k.jpg) [function.move-uploaded-file]: failed to open stream: Permission denied in /home/yadayada/register.php on line 136
Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php8KQwyh' to 'uploads/2014_08_21_11_03_14k.jpg' in /home/yadayada/register.php on line 136
This is my php code:
$userPhotoUrl = 'uploads/'.date('Y_m_d_H_i_s').$_FILES['photo']['name'];
if (is_uploaded_file($_FILES['photo']['tmp_name'])) {
if (!move_uploaded_file($_FILES['photo']['tmp_name'], $userPhotoUrl)) {
// show error message
return;
}
} else {
// show error message
return;
}
First of all, you have to understand what is 755.
For folder, 755 means drwxr-xr-x, which means:
Owner has Read, Write & Execute permission
Group & Public have Read and Execute permission only
As the user running PHP is probably not the owner of the folder, it does not have write permission to the folder. Either:
You chown the folder to PHP's user; or
You make it 777: everybody has Read, Write & Execute permission
Of course, the latter choice has a security issue, as if somebody uploads an executable shell script to your folder, he can execute the script. Therefore, you should stick with the first choice.
You should probably chown the upload folder (move) to the same user as PHP runs under. Try this
chown -R nobody uploaddir
chmod -R 755 uploaddir
Have alook on this Permission
if you set 755, your webserver will be the owner of the folder.
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.
I've got the following situation:
public_html - 755
=> avatar - 777
=> poll - 755
Now when I use the following code, i'll get an error (Warning: file_put_contents(../test.php) [function.file-put-contents]: failed to open stream: Permission denied in XXX):
<?php
file_put_contents('../test.php','<?php');
?>
But when I use the code below, it'll work just fine:
<?php
file_put_contents('test.php','<?php');
?>
(both executed from 'avatar', with 0777)
How can I solve this?
Since your script is executing from avatar, which has 0777 permission (world read/write/execute), it is normal that you are able to create a file within it (i.e.: file_put_contents("test.php")).
If you are not able to create files in public_html (i.e.: file_put_contents("../test.php")), it's because the user that is executing your script (most probably the Apache user) is not the owner of public_html (the owner is most probably a FTP user). Because 0755 means that only the owner is able to write to the directory, then others are only able to read or execute from it.
If you have shell access, you can use chown to change the owner of the file:
bash-4.1.5$ chown newuser public_html
Or you can chmod with higher permissions for non-owners, but you ought to be careful with that.
I guess it's not possible to write to a higher folder, even when you've 0777 permission.
It's not possible to use chmod on this dir, you'll have to use FTP or something.