Dedicated Linux server running debain LAMP.
I run a PHP script (using a browser) which creates a directory (and various sub directories) in a folder on the same server for subsequent shared use using Dropbox.
The directories are created in /home/dropbox/New_Project_Name/new_folders and should be owned by the user 'dropbox'.
However running the php script causes the newly created directories generated by the script to be owned by 'www-data'
What is the best why of either running the php script from the browser so that it generates the new directories with ownership of user and group 'dropbox' or subsequently running a script to check for www-data ownership and recursively changing files and directories to 'dropbox'
Many thanks for any help.
Not tested, but after creating the folder, you can run another line of code to change the owner/group
// define user and group
$owner = "dropbox";
$group = "dropbox";
$folder = "/home/dropbox/New_Project_Name/new_folders";
// change the owner and group
chown($folder, $owner);
chgrp($folder, $group);
Keep in mind, that it might throw an error, because there are subfolders and the operation fails. A while loop should solve the problem.
There might be an issues with the permissions, up to the server-config
There is another way to run it recursively with the "exec" command.
you can go like this:
exec("chown -R ".$owner.":".$group." ".$folder);
This will change user and group for the folder and all sub-folders. But beware,
using system is "dangerous". You can run any shell-commands. Don't play around with it too much.
OK - finally got this working (thanks everybody) but adding the following to my /etc/sudoers
www-data ALL=(ALL) NOPASSWD: /bin/chown, /home/sites/public_html/change_owner.php
The contents of the PHP file were as in the answer from DasSaffe
Here are 3 options:
Use suEXEC.
Connect to localhost ftp as user dropbox and create directories and files this way.
Set up sudo so www-data user can execute this as root without password prompt: sudo chown -R dropbox /path/to/dir, then just use php's exec function.
Related
I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
I need to create a very simple file (one line long) in a directory owned by root, but my PHP server is running as www-data.
I have full control of the system, and while I want to grant www-data to execute this ONE file with full permission, I don't want to give it access to run anything ELSE as root.
Is there a place where I can grant PHP or the www-data user permission to run just that one file so that it can create files in the root-owned location?
will the filename change?
create the file via the command line and chown it to www-data, or www-data's group.
As long as the script doesn't delete the file.. it can't rewrite it and do with it as it pleases.
I get the feeling you are trying to obtain root permissions for some specific process through the execution of the one file. In any case here is a solution.
I recently published a project that allows PHP to obtain and interact with a real Bash shell. Get it here: https://github.com/merlinthemagic/MTS
After downloading you would simply use the following code.
$shell = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', true);
$return1 = $shell->exeCmd('php /path/to/your/script');
I have a script PHP that to create a folder and some files in this folder. Ok, I can done easily with mkdir in PHP but the folder is owned by www-data it’s weird user or group that I didn't log in. Because that so I can’t modify this folder and files in this folder (delete).
Could someone suggest me how to fix this? Can I create the folder by our current log in user? It’s a public folder for every users (should chmod 775). And this is created folders by PHP script and can have many folder so I dont't want to run sudo chmod all of theses folders every time a new folder is created!
Any folder created by any application running under the http server service will be owned by the user executing such application (or component of the application). That being said, if you're running an Apache HTTP daemon which the child processes owner is the www-data user, any folder created by any php script will be owned by such user.
You'll not be able to chown() any FS entry to other user, since www-data doesn't have permissions to do so. You can change it manually via command line with super user permissions (uid == 0) using the chown command line binary.
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.