I have a PHP script which runs in first server and it curls the PHP file which is on the second server.
$service_url = 'http://example.com/version_check.php?f_path='.$path;
On the second server, that PHP file (version_check.php) reads the files in /var/www directory and processes it.
Now I want to know how to access /var/www directory with root privileges.
I need root privileges because I am doing some fwrites in that directory.
If you’re using the default configuration on Ubuntu, you’ll have a user and group named www-data that your web server runs as. If you want to be able to write to a particular file, chown it to www-data:
$ chown www-data:www-data /var/www/my-file
Alternatively, keep the current ownership, change the group, and make it group-writable:
$ chgrp www-data /var/www/my-file
$ chmod g+w /var/www/my-file
As a last resort if you don’t want to change the ownership or group, make it world-writable:
$ chmod a+w /var/www/my-file
But this is a bad idea—any service on your system, good or bad, can modify the file, rather than just your web server. You should avoid it if you can.
you don't. just make the particular files or folders writable by www-data. running your PHP script as root would be a serious security problem. even more so, because I don't expect you to follow any common security guidelines (if you did, you wouldn't want to run your script as root).
Kumaran,
The issue isn't PHP; the issue is the user accessing the files. Your PHP scripts are run by the apache user (www-data or apache, you'd need to check the username your apache's running under). The apache user, by default, can access certain files.
To be able to access files using root privileges, the apache user needs to acquire the rights to do so.
Allowing this to happen is a big security risk. You need to re-think the architecture altogether; why is PHP accessing root files in the first place?
One option is to make the files in question writeable by the apache user
The /root is only readable to root user. Hence you need to first move that Move file to /var/www and change it's permissions so www-data users can read it.
Related
I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
I'm creating a website that uses php and mysql. I keep all my mysql access data in a ini file called "config.ini". This file needs to be secure so malicious users cannot get access to mysql access data. The problem occors when a php tries to access it as it access it as the user "www-data" which is not a root user is denies the request. If I then allow permission to "www-data" via the this command.
sudo chown -R root:www-data config.ini
sudo chmod -R g+s config.ini
Any user can view it by typing in the website address and /config.ini as apache accesses it through the same user, NOT SECURE.
PHP CODE
$conf = parse_ini_file('config.ini');
$conn = mysqli_connect($conf["host"], $conf["user"], $conf["password"], $conf["database"]);
Any suggestions welcome and in advance thank you.
FULL ANSWER
1)Place config.ini under a directory that is outside the webroot.
2)Create a group with "www-data" in it using this command.
sudo chown root:www-data config.ini
3) Give it access to read using this command.
sudo chmod 640 config.ini
4)Access it normally in php but use ../ to direct to the new location.
If you're concerned about malicious access, which of course is a good thing to be concerned about, make sure your .ini file is not in any directory that your web server is configured to serve from. That is, make absolutely sure this is outside the web-root of your site.
Secondly, you can usually configure your web server to refuse to serve .ini files. You'll also want to ensure that things like directory indexes are turned off so people can't poke around.
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.
This might be a noob question, but can't find an answer anywhere.
I have a problem, which Another file permissions problem have helped me to ALMOST solve.
I have created a user in linux (danny) which has sudo access.
I have also created a new group which name ALSO is danny, and added the user danny to that group. This group has sudo (root) access.
I have all files and folders in my www folder owned by danny/danny group.
I have an image-upload code which is php. This code cannot upload images to a folder called "images" folder which is under the www folder, UNLESS I give the images folder 777 permissions.
So, I have followed the answer on the linked question, and have figured out that the user which the upload-script is run as is "www-data".
According to the answer on the link to the other question I posted, I need to add www-data to a group... But I am stuck here...
Which group should I add to? What should I do from here?
Any tips are appreciated.
Btw, here is some info about www-data and danny
id www-data:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id danny
uid=1000(danny) gid=33(www-data) groups=33(www-data)
Thanks and if you need more input, just let me know...
In general, NO, your content should not be owned by www-data. The only content which should be owned by www-data are the specific files that you need web applications to be able to modify and specific directories that they need to be able to create or delete files in. The rest should not be owned (or writable) by www-data because every file that www-data can write to is a file that an attacker who compromises your web server (including any scripts or web apps that it is running) will be able to replace with whatever malicious data he may choose.
It is especially important that www-data not own or be able to write to any executable file (e.g., scripts, flash files, documents in Word or other formats with macro capabilities, etc.) because replacing them with malicious executables would provide an easy way to attack users' computers or the web server itself.
I think it makes sense that files being used by www-data is owned by www-data. I mean who else should own it? The most important part is that the web app shouldn't have write access to its own web root. The reason why is becuase a directory traversal vulnerability in a PHP function like copy() or file_put_contents() might allow an attacker to drop a .php backdoor in your web root.
Another important attack to be aware of is that another process or user on the system might want to read or write to your web root, so its important that the very last number be a zero. The middle number is the group and your not using this, so it should be zero as well. The following 2 commands makes your web root readable and executable by apache, and only apache. Sometimes a different user account is used, so run a <?php system('whoami')?> to find out the correct user account.
chown www-data -R /path/to/webroot
chmod 500 -R /path/to/webroot
By the time the attacker has remote code execution to change the privileges of the web root its game over. The whole point is trying to foil the exploit from succeeding.
I'd add www-data user to group danny.
usermod -a -G danny www-data
This way www-data could enter danny's place, but not the opposite.
In order to allow www-data user to write to a danny group folder permission mask has to be like (where wildcard means any value is ok):
d???rwx???
Actually, your problem is that you need the user www-data to have write-access to the images folder.
And you probably want user danny to have full access to the folder as well.
EDIT: Additional word of warning:
having files writeable by your webserver is always a security risk. Be sure to check the files that are written, and make sure people can't upload or change code.
Summary:
* Don't let your webserver run scripts that are writeable, or in a writeable folder.
So make sure only the images/ folder is writeable, and doublecheck that everything that is written, is actually an image!
Either:
Set www-data as owner of the folder,
and chmod u+rwx www.
Set www-data
as part of a group X, and change the
owner of the folder to X, and chmod
g+rwx www.
Set the folder
world-writeable on your server (in
some cases, an acceptable solution
too, but less secure).