I've successfully created an application using AWS Elastic Beanstalk and have uploaded the app using Git.
All that's left for me to do is create my settings.php file and everything should work.
However when I connect via SSH as the user ec2-user using the method documented at SSH to Elastic Beanstalk instance I cannot navigate into the webapp directory. Here is output of ls -all
drwxr-xr-x 4 root root 4096 Feb 10 16:21 .
dr-xr-xr-x 23 root root 4096 Feb 10 16:23 ..
drwx------ 3 ec2-user ec2-user 4096 Feb 10 16:41 ec2-user
drwx------ 2 webapp webapp 4096 Feb 10 16:21 webapp
And when I try to navigate there I get:
cd: webapp: Permission denied
My question is, can I change the ownership of the webapp folder to that of ec2-user. If I do, will I break Elastic beanstalk? If so, I'd be interested to know how anyone else achieves what I am looking to do, which is not skip the Git deploy of a settings file so that it can be different on my local machine from that of the version on Amazon.
Changing the owner will probably break your Elastic Beanstalk deployment. However, you could add your user to the webapps group and change the permissions to rw on the folder recursively so that anyone in the webapps group can read/write on that folder
chmod -R g+rw webapp
If so, I'd be interested to know how anyone else achieves what I am
looking to do, which is not skip the Git deploy of a settings file so
that it can be different on my local machine from that of the version
on Amazon.
Can you elaborate on this ? What settings file ? Do you mean 'skip' or 'not skip' ?
The permissions of the ec2-user are restricted, and probably not identical to the user running your application. Use the Unix sudo command to perform administrator tasks when you're logged on to your EC2 instance:
$ sudo ls webapp
Then you're able to easily see how things are set up, and perform any actions you please. Just keep in mind that anything you DO perform, may become undone if the instance is recreated. Therefore, you may need to use .config files, should you automatically want this file to appear on any new EC2 nodes created by Elastic Beanstalk.
Good luck!
Related
Even though permissions look fine within the container:
drwxrwxr-x 12 www-data www-data 4096 Dec 5 16:04 app
I'm getting a permission denied error when Apache is trying to write anything into that directory.
FYI: /app is mounted from the host machine like this:
/var/www/myApp:/app
Error is
\Exception\ErrorException: file_put_contents(/app/docker.log): failed to open stream: Permission denied in /app/src/Business/ExpediteGround/LHRates/Fetch.php:13
Found the issue everyone, Apache user was just fine (www-data) but I'm using fpm inside the container to compile the php code and it was running with a different user so that was the cause; switched the pool to run as www-data as I'm used to and it worked!
I've recently been learning to build images and containers with Docker. I was getting fairly confident with it when using a Mac, but recently switched to Ubuntu, I'm fairly new to this side of development.
I'm using a standard new Laravel project as my "code", and am currently just using a php container and nginx container.
I'm using a docker-compose.yml file to create my containers:
version: "3.1"
services:
nginx:
image: nginx:latest
volumes:
- ./code:/var/www
- ./nginx_conf.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
php:
image: php:7.3-fpm
ports:
- 9000
volumes:
- ./code:/var/www
There may or may not be a mistake in the code above just because I've just typed it out rather than copy and pasting - but it works on my machine.
The problem is:
php-fpm is configured with --with-fpm-user=www-data and --with-fpm-group=www-data, and that's set in the php:7.3-fpm Dockerfile (see here).
The files on my host machine, are saved with my user name and group as owner / group.
When I go into the container, the files are owned by 1000 and group 1000 (I assume a mapping to my user account and group on the host machine?)
However, when I access the application through the browser, I get a permission denied error on start up (when Laravel tries to create an error log file in storage). I think this is because php-fpm is running as www-data, but the storage directory has permissions drwxr-xr-x for owner / group phil:phil - my host owner and group.
I've tried the following, after hours of googling and trials:
Recursively change the owner and group of the code directory on the host machine to www-data:www-data. This allows the Laravel application to work, but I now cant create or edit etc files on the host using PHPStorm, because the directory is read-only (I guess because phpstorm is running as my user, and directory is owned by a different user / group).
I've added my host user account to the www-data group, and granted write permissions to the group using sudo chmod -R g+w ./code, which now allows the application to run the application, and for phpstorm to write, execute etc files, but when i create or edit a file, the files ownership and group change back to my host phil:phil, and I guess this would break the application again.
I've tried to create a php image, and set the env (as described in the link above) to configure with --with-fpm-user=phil --with-fpm-group=phil, but after building, it doesn't change anything - it's still running with www-data (after reading a github issue I think this is because envs cant be changed until later, at which point php is already configured?) (see github issue here)
I'm running out of ideas to try. The only other thing I can think of, is to recursively set owner and group of the code directory on my host to www-data and try run phpstorm as www-data instead, but that feels weird (Update: I tried to open phpstorm as www-data user, using sudo -u www-data phpstorm.sh, but i get a java exception - something to do with graphics -so this approach is unfeasible as well)
Now the only thing I can think of to try is to create a new php image from alpine base image and bypass php's images completely - which seems like an awful lot of inconvenience just because the maintainers want to use ENV instead of ARG?
I'm not sure of best practice for this scenario. Should I be trying to change how php-fpm is run (user/group)? should I be updating the directory owner/group on my host? should I be running phpstorm as a different user?
Literally any advice will be greatly appreciated.
#bnoeafk I'll just post this as a new answer although it has basically been said already. I don't think this is hacky, it works basically like ntfsusermap, certainly more elegant than changing all file permissions.
For the Dockerfile:
FROM php:7.4-apache
# do stuff...
ARG UNAME=www-data
ARG UGROUP=www-data
ARG UID=1000
ARG GID=1001
RUN usermod --uid $UID $UNAME
RUN groupmod --gid $GID $UGROUP
Every user using this image can pass himself into it while building: docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g)
ran into the same problem a few weeks ago.
what actually happens is that your host and your container are sharing the same files via the volume, therefore, they also share the permissions.
in production, everything is fine - your server (the www-data user) should be the owner of the files, so no problem here. things get complicated in development - when you are trying to access those files from the host.
i know a few workarounds, the most hacky one seems to be to set www-data uid in the container to 1000, so it will match your uid in the host.
another simple one is to open 777 full permissions on the shared directory, since its only needed in the development build - (should never be done in production though, but as i mentioned before, in production you dont have any problem, so you must seperate the 2 processes and do it only in development mode)
to me, the most elegant solution seems to be to allow all group members to access the files (set 770 permissions), and add www-data to your group:
usermod www-data -a -G phill #// add it to your group
chown -r phill ./code #// make yourself the owner. might need sudo.
chmod 770 ./code #//grunt permissions to all group members
You have many options depending on your system to do this, but keep in mind you may have to restart your running process (php-fpm for example)
Some examples on how to achieve this: (you can run the commands outside the container with: docker container exec ...)
Example 1:
usermod -g 1007 www-data
It will update the uid of the user www-data to 1007
Example 2:
deluser www-data
adduser -u 1007 -D -S -G www-data www-data
It will delete the user www-data and recreate it with the uid 1007
Get pid and restart process
To restart a a running process, for example php-fpm, you can do it that way:
First get the pid, with one of the following command:
pidof php-fpm
ps -ef | grep -v grep | grep php-fpm | awk '{print $2}'
find /proc -mindepth 2 -maxdepth 2 -name exe -lname '*/php-fpm' -printf %h\\n 2>/dev/null | sed s+^/proc/++
Then restart the process with the pid(s) you got just before (if your process support USR2 signal):
kill -USR2 pid <-- replace pid by the number you got before
I found that the easiest way is to update the host or to build your container knowing the right pid (not always doable if you work with different environments)
Let's assume that you want to set the user of your PHP container and the owner of your project files to www-data. This can be done inside Dockerfile:
FROM php
.
.
.
RUN chown -R www-data:www-data /var/www
USER www-data # next instruction might face permission error if this line is not at the end of the dockerfile
The important fact here is that the original permissions in the Docker host are corresponded to the permission inside the container. Thus, if you now add your current user to www-data group (which probably needs a logout/reboot to take effect), you will have sufficient permission to edit the files outside the container (for instance in your IDE):
sudo usermod -aG www-data your_user
This way, the PHP code is permitted to run executables or write new files while you can edit the files on the host environment.
I don't have too much experiences with servers but I've tried to do something ;)
I have my WP webpage on amazon EC2 and
I wanted to edit some settings in php.ini through filezilla (sftp) But I had to set permissions to my user:
sudo chown -R ec2-user:ec2-user /etc
But now I can't even restart apache or set back permissions to root
If i try to do something like this:
sudo chown -R root:root /etc
or
sudo systemctl restart apache2.service
I see this information:
"sudo: /etc/sudo.conf is owned by uid 500, should be 0 sudo: /etc/sudoers is owned by uid 500, should be 0 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin"
What can I do?
You should never do sudo chown -R ec2-user:ec2-user /etc. You have modified the permission settings of your entire /etc directory.
/etc is a very important folder for your operating system that's why you're getting the error.
launch a new instance and backup your source code from your previous instance and re-upload the code. let me know if you have any issues.
I'm not understanding why you can't modify your php.ini file? You need to ssh into the server and edit the file. If you can't do that, you need to move the file to the ftp folder where it's permissible, modify the file and put the file back to it's original location and restart apache.
Furthermore, I recommend you use Ubuntu for your Wordpress server rather than using Centos or Amazon Flavour of Linux.
log into putty as ec2-user
sudo su
[root#ip-yoursite- home]
now for php 5.0 sudo vim /etc/php.ini
for php 7.0 use sudo vim /etc/php-7.0.ini
press i and now search for upload_max_filesize =100M , post_max_size=100M
(change as per your requirement)
press esc ,now save and exit use this command:wq
restart your apache server
sudo service httpd restart
The short answer is that chown -R is recursive and there are lots of utilities and other files and programs required for various operations, including sudo and su. Root is a special user with uid 0, and that user has greater permissions, and the ability to perform certain operations, that ec2-user cannot. This means that undoing what you have done is not simple or straightforward.
This is why the answers provided so far focus on a reinstallation of the operating system, which is what I would also recommend. It is likely faster.
Another part of this answer is to not try and sftp into the server to change core files. It would require having an sftp login land at the root (or /etc) directory, and that is not a common configuration.
Instead, use sftp or scp to copy changed files to a user directory, and them move them from a command prompt (ssh/bash shell). For simple textfile editing, it is easier to use a command line text editor such as nano which is more user friendly than some of the older editors.
As well, the file itself does not nor should it have its permissions changed, rather, once logged in, use sudo or su to perform the operations. Example:
ssh ec2-user#host.domain.tld
sudo su
nano /etc/php.ini
Imagine that you have a series of boxes, each with two numbers inside. These numbers are mostly 0:0 but could be any whole numbers up to 2^31-2.
The numbers are independent, so 0:0 and 0:42 are both possible. Your -R flag recursively changes all of these numbers in all of the boxes to the same pair.
This loses information. (Without a backup) there is no easy way to know what the numbers in the boxes were before you ran the command.
If you have a matching, (or very similar) server you might be able to restore most of the permissions using rsync, or use a script to record the uid:gid of each file on the working server into a log file and then use that to correct the permissions on the broken server.
ls -n
will show you the numerical values for uid and gid (3rd and 4th column on my linux servers.)
There are two options.
Create a new instance on Amazon. Check the file permissions on the new machine.
cd /etc
ls -lrt
This should give result like this
-rw-r--r-- 1 root root 2064 Nov 24 2006 netscsid.conf
-rw-r--r-- 1 root root 1343 Jan 10 2007 wodim.conf
-rw-r--r-- 1 root root 624 Aug 8 2007 mtools.conf
-rw-r--r-- 1 root root 2570 Aug 5 2010 locale.alias
-rw-r--r-- 1 root root 356 Jan 2 2012 bindresvport.blacklist
-rw-r--r-- 1 root root 349 Jun 26 2012 zsh_command_not_found
Set the same permission on old EC2 instance one by one.
Example
chown -R root:root netscsid.conf
You could create a new setup.
PS: for future, You could use this command for changes in php.ini file rather than changing owner or permission.
sudo vim /etc/php5/apache2/php.ini
No need to change ownership of the folder that contains the php.ini file.
Aim: Grant permission to user 'ec2-user' so that FileZilla can write to /etc folder which contains the php.ini file.
Doing this we can rename the original php.ini file and replace the php.ini file with a modified copy.
Steps:
Login to ec2 instance via 'Putty'
Navigate to the folder that has the php.ini file
example:
cd ../
Use:
ls -l
to list files nd folders with their permissions
Look for the line that shows the folder that contains the php.ini file
somthinng like this:
drwxr-xr-x 80 root root 4096 Jul 11 08:15 etc
Change permissions of this folder:
sudo chmod 777 etc
(NOTE:Change it back to the original permissions later)
Use:
ls -l
to see the change
Restart Apache:
sudo service httpd restart
Now FileZilla will have permission to that folder,
rename the origial php.ini file to revert back in future
replace the php.ini file with a modifided copy
Check ur site(a page which has errors) after a minute, the errors will be displayed.
I've uploaded some php scripts to my server under /php directory and sub directories.
When using my root user in terminal and running php file.php it execute it perfectly, but when trying to reach the same file through the browser - nothing happens...
I guess it something to do with permissions.
I've tried chmod 755 phpdirectory but it doesn't work..
what else should i do in order to give the browser user the ability to run php scripts ?
Update
I'm using FreeBsd system with apache and Direct Admin on it.
Can some one please guide me to where to check the settings ?
Usualy All webb access to a file is done through a specific user (eg. www-data) in order for the file to be reachable through web www-data needs permission to reach the code. How you setup that depends on what system the server is running.
Also the server document_root needs to be setup correctly. Where you do this also depends on what server you are runnning.
EDIT after update question.
In apache this is normally done through the file /etc/apache/sites-avalible/your_site
If the server only serves one page you can do this in http.conf
Check whether the User directive inside httpd.conf file is same as the user you used to ran the PHP script.
You need to make sure your PHP scripts have same user and group as you configured in Apache configuration(/etc/httpd/httpd.conf in CentOS 6.4).
# User/Group: The name (or #number) of the user/group to run httpd as.
User apache
Group apache
Check the owner and group of your PHP directory and files. In this case owner and group (root/root) are not same as Apache User and Group.
# ls -alh
total 516K
drwxr-xr-x. 5 root root 4.0K Aug 29 17:57 .
drwx------. 5 root root 4.0K Jun 24 12:06 ..
-rwxr--r--. 1 root root 356K Jul 7 2012 index.php
To change the owner and group of your PHP directory. Use the following command.
# chown -R apache:apache www
My PHP application and all the files are owned by www-data however I am currently logged in to the server using my username ruser. I'm developing on the same machine so everytime I want to test changes to my php code I have to go back and forth between file owners.
Is this the best practice or is there a different way I can set this up to make my development smoother?
Make your user part of the www-data group, or make the www-data user part of your group. Then give group access to your files:
usermod -a -G www-data yourusername
In terms of best practice, you should be developing on a different machine anyway. Then deploy your code and use scripts to set up whatever secure configuration is right for your project.
There are a few options open to you.
1) You can change all the files to the www-data group while keeping them owned by you
from your site's root directory run:
chmod -R ruser:www-data ./*
2) The best method is to set up an ACL if your distribution supports it: http://bit.ly/Lat25d
3) Or the simplest method (on a dev machine only - don't do this on a live server) is to chmod everything to 777 from the site's root directory
chmod -R 777 ./*
You can change the files to be owned by any user, i.e use the following command: chown username:groupname file.php
Only require Apache to own the files if Apache is going to write to the files or overwrite the files.
So change the ownership to the FTP user to avoid constant ownership changes.