I'm trying to write a script to create virtual host vor apache (CentOS 6.4 on AWS)
I tried on simple write:
$result = file_put_contents( '/etc/httpd/conf/vhosts/test.conf', 'teststring');
var_dump($result);
This is my permission and owner infomation:
-rw-r--r--. 1 apache apache 34445 Jan 16 11:08 httpd.conf
-rw-r--r--. 1 apache apache 13139 Aug 13 17:30 magic
drwxrwxrwx. 2 apache apache 4096 Jan 17 04:29 vhosts
But I still got this mesasge:
Warning: file_put_contents(/etc/httpd/conf/vhosts/test.conf): failed to open stream: Permission denied in /var/www/server-control/src/test.php on line 8 bool(false)
checking user by ps aux|grep httpd:
root 9804 0.0 0.0 246372 8712 ? Ss 03:57 0:00 /usr/sbin/httpd
apache 9808 0.0 0.0 247024 7972 ? S 03:57 0:00 /usr/sbin/httpd
apache 9809 0.0 0.0 248304 8644 ? S 03:57 0:00 /usr/sbin/httpd
apache 9810 0.0 0.0 247536 7872 ? S 03:57 0:00 /usr/sbin/httpd
apache 9811 0.0 0.0 247536 8020 ? S 03:57 0:00 /usr/sbin/httpd
apache 9812 0.0 0.0 247536 7876 ? S 03:57 0:00 /usr/sbin/httpd
apache 9813 0.0 0.0 247536 7948 ? S 03:57 0:00 /usr/sbin/httpd
Please help!! Some server I can write to that folder by just change owner to apache but this one is not.
I've Resolved this problem. Run ls -laZ and this is difference:
My local:
[root#localhost conf]# ls -laZ
drwxr-xr-x apache apache ? .
drwxr-xr-x apache apache ? ..
-rw-r--r-- apache apache ? httpd.conf
-rw-r--r-- apache apache ? magic
-rw-r--r-- apache apache ? ssl.crt
-rw-r--r-- apache apache ? ssl.key
drwxrwxrwx apache apache ? vhosts
EC2 Server:
[root#ip-172-31-0-37 conf]# ls -laZ
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 magic
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_config_t:s0 vhosts
That mean EC2 Server is under SELinux permission context
To resolve problem, I ran chcon -R --type=httpd_sys_content_t vhosts and ls -laZ again:
[root#ip-172-31-0-37 conf]# ls -laZ
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 magic
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 vhosts
Difference is httpd_sys_content_t context on vhosts directory
Now apache can write to /etc/httpd/conf/vhosts
Please correct me if I did/understand anything wrong.
Related
I want to generate a file by batch.php, which is linked to the button in this page:
<?php
echo "Hello world!";
'cat 123 > uploads/cat.txt';
echo "Bye world!";
?>
Clicking on the button does launch batch.php, however, cat.txt is NOT generated on the server side.
Does anyone know how to fix this? Maybe I need to setup some permission for the folder?
Edit 1:
ps aux|grep -E 'apache|www-data|http|php' returns:
root 12269 0.0 2.1 278256 10796 ? Ss Aug02 3:38 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 12301 0.0 0.8 97728 4044 ? S Aug02 3:27 nginx: worker process
www-data 12302 0.0 0.8 98104 4296 ? S Aug02 3:54 nginx: worker process
www-data 12303 0.0 0.9 97940 4520 ? S Aug02 3:46 nginx: worker process
www-data 12304 0.0 0.9 98132 4544 ? S Aug02 3:47 nginx: worker process
timur 14888 0.0 0.1 11712 932 pts/0 S+ 15:04 0:00 grep --color=auto -E apache|www-data|http|php
www-data 18748 0.0 8.7 298196 43668 ? S Sep07 0:12 php-fpm: pool www
www-data 18749 0.0 6.4 286660 32432 ? S Sep07 0:11 php-fpm: pool www
www-data 21100 0.0 8.3 296204 42048 ? S Sep05 1:02 php-fpm: pool www
ls -l returns:
total 20
-rw-r--r-- 1 root root 84 Sep 12 08:33 batch.php
-rw-r--r-- 1 timur timur 5120 Sep 12 09:00 generateFile.exe
-rw-rw-r-- 1 timur timur 138 Sep 12 08:28 index.html
drwxrwxrwx 2 timur timur 4096 Sep 12 15:03 uploads
I granted 777 to uploads, and I tried all the possible owner names and owner groups (ie, timur:timur, www-data:www-data and root:root), but none of them works...
The key is to write exec('cat 123 > uploads/cat.txt') or shell_exec('cat 123 > uploads/cat.txt') instead of 'cat 123 > uploads/cat.txt'.
Then, although drwxrwxrwx 2 timur timur 4096 Sep 12 15:03 uploads works, assigning 755 and www-data:www-data (reserved to PhP) to uploads is more correct.
I'm trying to install a PHP-based software package in a Red Hat 7 Amazon EC2 instance (ami-8cff51fb) that has had Apache 2.4.6 and PHP 5.4.16 installed on it using yum. The installation fails because it says a particular directory needs to be writable by the webserver with 0755 or 0775 permissions.
The directory in question has 0775 permissions with root:apache ownership. I have verified that the httpd process is being run by the apache user and that the apache user is a member of the apache group.
If I edit /etc/passwd to temporarily give the apache user a login shell and then su to that account, I am able to manually create files as the apache user within the directory using the touch command.
I took a look at the source code of the installer script and identified that it's failing because PHP's is_writable() function is returning false for the directory in question. I created a separate test PHP script to isolate and verify the behaviour I'm seeing:
<?php
$dir = '/var/www/html/limesurvey/tmp';
if (is_writable($dir)) {
echo $dir, ' is writable';
} else {
echo $dir, ' is NOT writable';
}
?>
This outputs the NOT writable message. If I change $dir above to be /tmp then it correctly outputs that /tmp is writable.
If I change the directory permissions to 0777 and/or change the ownership to apache:apache then PHP still reports that the directory isn't writable. I even tried creating a /test directory set up with the same permissions and ownership and my test script still reports it as not writable.
I'm really at a loss as to explain this behaviour, so any ideas would be welcome!
Thanks in advance.
The directory listing for /var/www/html/limesurvey is given below. The tmp and upload directories have 0775 permissions as per Lime Survey's installation instructions. test.php is my test script mentioned above.
[ec2-user#ip-xx-x-x-xxx limesurvey]$ pwd
/var/www/html/limesurvey
[ec2-user#ip-xx-x-x-xxx limesurvey]$ ls -al
total 80
drwxr-xr-x. 20 root apache 4096 Mar 30 11:25 .
drwxr-xr-x. 3 root root 23 Mar 25 14:41 ..
drwxr-xr-x. 2 root apache 38 Mar 10 12:56 admin
drwxr-xr-x. 16 root apache 4096 Mar 10 12:56 application
drwxr-xr-x. 3 root apache 4096 Mar 10 12:56 docs
drwxr-xr-x. 2 root apache 4096 Mar 10 12:56 fonts
drwxr-xr-x. 19 root apache 4096 Mar 10 12:56 framework
-rw-r--r--. 1 root apache 429 Mar 10 12:56 .gitattributes
-rw-r--r--. 1 root apache 399 Mar 10 12:56 .gitignore
-rw-r--r--. 1 root apache 296 Mar 10 12:56 .htaccess
drwxr-xr-x. 4 root apache 4096 Mar 10 12:56 images
-rw-r--r--. 1 root apache 6652 Mar 10 12:56 index.php
drwxr-xr-x. 5 root apache 39 Mar 10 12:56 installer
drwxr-xr-x. 89 root apache 4096 Mar 10 12:56 locale
drwxrwxr-x. 2 root apache 39 Mar 25 14:41 logs
drwxr-xr-x. 4 root apache 49 Mar 10 12:56 plugins
-rw-r--r--. 1 root apache 61 Mar 10 12:56 README
drwxr-xr-x. 4 root apache 4096 Mar 10 12:56 scripts
-rw-r--r--. 1 root apache 380 Mar 10 12:56 .scrutinizer.yml
drwxr-xr-x. 5 root apache 4096 Mar 10 12:56 styles
drwxr-xr-x. 5 root apache 4096 Mar 10 12:56 styles-public
drwxr-xr-x. 12 root apache 4096 Mar 10 12:56 templates
-rw-r--r--. 1 root apache 159 Mar 30 11:11 test.php
drwxr-xr-x. 3 root apache 20 Mar 10 12:56 themes
drwxr-xr-x. 26 root apache 4096 Mar 10 12:56 third_party
drwxrwxr-x. 5 root apache 80 Mar 26 13:45 tmp
drwxrwxr-x. 6 root apache 79 Mar 10 12:57 upload
Running namei -l /var/www/html/limesurvey/tmp gives:
[ec2-user#ip-x-x-x-xxx ~]$ namei -l /var/www/html/limesurvey/tmp
f: /var/www/html/limesurvey/tmp
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
drwxr-xr-x root apache limesurvey
drwxrwxr-x root apache tmp
After much head-scratching, it transpired that SELinux was preventing the directory from being written to. I found a good tutorial that explains what's going on. I was able to fix it by running this command:
sudo chcon -R -t httpd_sys_rw_content_t tmp
in CentOS 6 above should be SELinux enable enforcing
setenforce Permissive
check the status
sestatus
refer to https://wiki.centos.org/HowTos/SELinux
to write to a directory you also need execute permissions to the dirs above.
namei -l /var/www/html/limesurvey/tmp
should show which step you do not have the correct permissions for.
HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX tmp
sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX tmp
Taken directly from the Symfony2 installation guide, this solves the problem with cache write access sharing between Apache and CLI tools. This might work for your tmp directory as well.
is_writable by default only checks on the user, not the group.
So even if you group is matching and has permissions is_writable will return false.
To relax this check you will need to set
safe_mode_gid = On
in the PHP config or change the user accordingly.
I am having some permission issues with Nginx and Php fastcgi when trying to get to the php file. I am using 5.5.15 and Nginx 1.6.0 in Redhat 7 .
My php file is very simple for now.
<?php
echo "\nscript owner : ".get_current_user()."\n";
$myFile = '/usr/share/nginx/html/test.log';
$fh = fopen($myFile, 'a') or die("can''t open file");
?>
Get current user will result in : "myuser"
The error that I am getting is the following:
2014/08/26 22:47:14 [error] 6424#0: *16 FastCGI sent in stderr: "PHP message: PHP Warning: fopen(/usr/share/nginx/html/test.log): failed to open stream: Permission denied in /usr/share/nginx/html/test.php on line 19" while reading response header from upstream, client: XXXXXX, server: XXXXXXX, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "XXXXXXX"
Here is the permissions for the directory /usr/share/nginx( all of the parent directories have x permissions):
drwxrwsrwx. 4 myuser myuser 4096 Aug 26 22:32 html
Running the following commands:
$ ps aux | grep "nginx: worker process"
myuser 6423 0.0 0.3 111228 3880 ? S 22:36 0:00 nginx: worker process
myuser 6424 0.0 0.5 111228 5428 ? S 22:36 0:00 nginx: worker process
myuser 6480 0.0 0.0 112640 980 pts/0 R+ 22:41 0:00 grep --color=auto nginx: worker process
$ ps aux | grep "php"
myuser 5930 0.0 0.1 128616 1860 pts/0 T 21:09 0:00 vi /etc/php-fpm.conf
myuser 5931 0.0 0.2 128628 2052 pts/0 T 21:09 0:00 vi /etc/php.ini
myuser 5933 0.0 0.1 128616 1864 pts/0 T 21:13 0:00 vi /etc/php-fpm.conf
myuser 5934 0.0 0.1 128616 1860 pts/0 T 21:14 0:00 vi /etc/php-fpm.d/www.conf
myuser 5935 0.0 0.1 128616 1864 pts/0 T 21:15 0:00 vi /etc/php-fpm.conf
root 6313 0.0 2.4 544732 25208 ? Ss 22:25 0:00 php-fpm: master process (/etc/php-fpm.conf)
myuser 6314 0.0 0.8 544732 8356 ? S 22:25 0:00 php-fpm: pool www
myuser 6315 0.0 0.8 544732 8328 ? S 22:25 0:00 php-fpm: pool www
myuser 6316 0.0 0.9 545076 9892 ? S 22:25 0:00 php-fpm: pool www
myuser 6317 0.0 0.9 544860 9452 ? S 22:25 0:00 php-fpm: pool www
myuser 6318 0.0 0.9 544860 9212 ? S 22:25 0:00 php-fpm: pool www
myuser 6483 0.0 0.0 112640 976 pts/0 R+ 22:47 0:00 grep --color=auto php
My Server looks like the following:
server {
listen 80;
root /usr/share/nginx/html;
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
And in the nginx.config I am using the same user: "user ec2-user;"
I have also changed the /etc/php-fpm.d/www.conf file to have the same user and group.
user = myuser
group = myuser
So, both Nginx and PHP are running on the same user "myuser".
All the directories up to where the log file and the php file are located(/usr/share/nginx/html) have x access and that user has 777 access to that html directory.
Not sure what I am missing. I have been searching online for 2 days now but no luck.
I suppose rights are correct, but you have 3 line of code in test.php, but due to error this is not true :) Check what file you run.
"in /usr/share/nginx/html/test.php on line 19"
I'm trying to save my php session on ramdisk. I have a permission problem but i can't see what where it's the problem.
I have the ramdisk:
/dev/ram0 407M 2.4M 404M 1% /var/lib/php/session/ramd
I have the permissions:
drwxrwx---. 3 root apache 1024 Mar 24 01:53 ramd
My error:
Warning: session_start(): open(/var/lib/php/session/ramd/sess_b0ko6hl3p6ojj2ot3qfqvm9km1, O_RDWR) failed: Permission denied (13) in /var/www/html/index.php on line 3 Warning: Unknown: open(/var/lib/php/session/ramd/sess_b0ko6hl3p6ojj2ot3qfqvm9km1, O_RDWR) failed: Permission denied (13) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session/ramd) in Unknown on line 0
In php.ini, session.save_path variable it's set to "/var/lib/php/session"
In my script i set session.save_path to "var/lib/php/session/ramd"
If i umont the ramdisk that i created, i can save my sessions in /rand folder. It i mount.. i can't. I tried also chmod root:root / apache:apache with chmod 0777 1777. now it's 0770.
I using: CentOS 6.4, PHP 5.3.3, Apache/2.2.15
Can anybody help me with this problem??
LE:
[root#localhost ~]# ps aux | grep apache
apache 2355 0.0 0.4 394868 7840 ? S 01:53 0:00 /usr/sbin/httpd
apache 2356 0.0 0.4 394876 7844 ? S 01:53 0:00 /usr/sbin/httpd
apache 2357 0.0 0.4 394876 7824 ? S 01:53 0:00 /usr/sbin/httpd
apache 2358 0.0 0.4 394876 7816 ? S 01:53 0:00 /usr/sbin/httpd
apache 2360 0.0 0.4 394876 7900 ? S 01:53 0:00 /usr/sbin/httpd
apache 2361 0.0 0.4 394876 7800 ? S 01:53 0:00 /usr/sbin/httpd
apache 2362 0.0 0.4 394876 7844 ? S 01:53 0:00 /usr/sbin/httpd
apache 2363 0.0 0.4 394868 7716 ? S 01:53 0:00 /usr/sbin/httpd
root 3119 0.0 0.0 103248 868 pts/0 S+ 02:52 0:00 grep apache
[root#localhost ~]# ps aux | grep php
root 3132 0.0 0.0 103244 868 pts/0 S+ 02:54 0:00 grep php
Execute the following to see if SELinux is in enforcing mode:
# sestatus
If so, you may want to try disabling SELinux by running the following as root (or with sudo):
# setenforce 0
This will make SELinux stop enforcing any policies. If this solves the issue, you will have to either leave SELinux off or augment the policy to allow this new path to work out correctly. If it does get to that point, reference https://serverfault.com/a/323528/165777 for some information on how to perform that step!
Also, if that didn't make an impact and/or you want to re-enable SELinux, execute:
# setenforce 1
Environment
PHP -V output: PHP 5.3.5-1ubuntu7.2 with Suhosin-Patch (cli) (built: May 2 2011 23:00:17) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cat /etc/issue output: Ubuntu 11.04
Apache2 -V ouput: Server version: Apache/2.2.17 (Ubuntu) Server built: Sep 1 2011 09:31:14
Browser About output: Firefox 6.0.2
PS -AUX Ouput
root 2943 0.0 0.3 206420 12428 ? Ss Sep19 0:20 /usr/sbin/apache2 -k start
www-data 18658 0.0 0.2 208552 11096 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18659 0.0 0.3 208976 12036 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18660 0.0 0.3 210532 12476 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18661 0.0 0.3 210276 11820 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18662 0.0 0.2 206948 10236 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 20037 0.0 0.3 208976 12128 ? S 08:22 0:00 /usr/sbin/apache2 -k start
www-data 20039 0.0 0.3 209132 11748 ? S 08:23 0:00 /usr/sbin/apache2 -k start
www-data 20120 0.0 0.3 209004 12000 ? S 09:04 0:00 /usr/sbin/apache2 -k start
File Permissions
drwxr-xr-x 2 www-data www-data 4096 2011-09-26 15:24 .
drwxr-xr-x 4 www-data www-data 4096 2011-08-26 11:31 ..
-rw-r--r-- 1 root root 161976 2011-08-26 16:26 market.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test1.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test2.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test3.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test4.txt
-rw-r--r-- 1 root root 0 2011-09-26 15:02 test5.txt
Code
rename($file, "$dest/$file");
Question
When I run the above code on the files listed in the File Permissions section above, it properly moves the file from its current location to a new location and removes the original. How is this possible when apache2 is running as www-data and the files are owned by root and only have read access for non-root users? On the PHP documentation it says:
Warnings may be generated if the destination filesystem doesn't permit chown() or chmod() system calls to be made on files — for example, if the destination filesystem is a FAT filesystem.
Does rename() call either of those system functions during the process? If so, why? Not that it matters anyway as www-data should not be able to chown/chmod a file owned by root anyway.
Can anyone explain to me how this is occuring?
Additional Information
I have tried this with the PHP script owned by root and by www-data and it works.
I tried to provide as much pertinent info as possible but let me know if you need anything else.
Moves don't "remove" originals, unless the move takes place across filesystem boundaries. Within a single filesystem, a move simply rewrites the relevant directory entries so it APPEARS that you've copied/deleted the file, but all you've done is a bit of housekeeping. Since www-data owns the directories in question, it can rewrite the directory entries representing those files all it wants, and never touch the actual files.
When moving files you are not editing the files themselves, but rather the directory they are part of. In your case that directory is owned by www-data (the apache process)