I'm running as www-data and I'm trying to execute a shell script using shell_exec(/foobar/script/myscript.sh), but I'm getting the following error when the script attempts to write to a log file
cannot create /foobar/foo.log: Permission denied
However, I don't run into any problems if I try running the script directly from the terminal. ie
$ sudo su www-data
$ /foobar/script/myscript.sh
$
Any idea what could be going on here?
I should also add that I added www-data to the group mybar and that this is what's showing up when I list the directory
drwxrwxr-x 3 mybar mybar 4096 May 14 14:18 foobar # ls -l /
-rw-rw-r-- 1 mybar mybar 2824 May 15 09:57 foo.log # ls -l /foobar
I think there can be two options:
web-server and php-fpm are run under different users (by default that should not be). Try echo shell_exec('whoami');
You have added www-data to mybar after php-fpm process had been started so it still "doesn't know" that it is (then I think restart of fpm should help).
This works for me:
sudo chown www-data:www-data -R foobar/
The directory you are trying to create the file in must belong to whoever is executing the command.
You can type:
ls -la
to see who it belongs to.
You should see something like this:
drwxr-xr-x 8 jack jack 4096 Jul 22 11:36 application
When I am logged into my ubuntu machine I am logged in as jack#jack so I can create files in the following directory without issuing the sudo command:
drwxr-xr-x 8 jack jack 4096 Jul 22 11:36 application
because it is owned by the current user.
When you try running a script that is executed by visiting a webpage. www-data is the user that is executing the command so any directory or file that you are trying to create/modify/delete must be owned by www-data.
Related
Using the following dockerfile, I'm trying to create a folder which is writable for PHP.
FROM trafex/alpine-nginx-php7:1.2.0
# Add mysql pdo extensions
USER root
RUN apk add php7-pdo php7-pdo_mysql
COPY --chown=nobody:nobody nginx.conf /etc/nginx/nginx.conf
COPY --chown=nobody:nobody public_html/ /var/www/html
RUN chmod 777 /var/www/html/public/ifpos/hits && ls -l /var/www/html/public/ifpos/
USER nobody
During the build this is what I see
Step 6/7 : RUN chmod 777 /var/www/html/public/ifpos/hits && ls -l /var/www/html/public/ifpos/
---> Running in 027345f34fc9
total 8
drwxrwxrwx 2 nobody nobody 4096 Jan 17 04:21 hits
-rw-r--r-- 1 nobody nobody 817 Jan 17 03:04 listener.php
However when I terminal into the container and list the directory, I can see this hasn't been set correctly.
/var/www/html/public/ifpos $ ls -l
total 8
dr-xr-xr-x 2 nobody nobody 4096 Jan 17 04:21 hits
-rw-r--r-- 1 nobody nobody 817 Jan 17 03:04 listener.php
Please help, this is doing my head in!
This happens because /var/www/html is marked as VOLUME in trafex/alpine-nginx-php7:1.2.0 image - https://hub.docker.com/r/trafex/alpine-nginx-php7/dockerfile
You can run the chmod as part of entrypoint script which does the chmod first and then calls the actual entrypoing "/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"
I'm trying to get a simple PHP file to work on a linux Centos 7 server using apache. The problem is that the php code doesn't seem to have permission to write to the folder. The simple test php file below illustrates the problem
<?php
echo shell_exec('whoami');
echo "<br>";
$myfile = fopen("test.txt","w") or die("could not open test file");
fclose($myfile);
?>;
Just to try to get it to work I have done
sudo chmod -R a+rwx /var/www
and yet I keep getting the "could not open test file" error message. What am I doing wrong? Incidentally, the 'whoami' is coming back as 'apache'
**Edit*
In the light of the suggestion below I've done some changes and am now showing the full permissioning for the folders. I've created the group www-data and have added the user apache to it.
[prompt]$ groups apache
apache : apache www-data
For /var/www:
0 drwxrwsrwx. 4 root www-data 33 Jul 27 08:19 www
For /var/www/html:
0 drwxrwsrwx. 2 root www-data 137 Jul 27 12:43 html
The file I'm trying to load:
4 -rwxrwxrwx. 1 root www-data 182 Jul 27 12:40 test.php
It's still not working unfortunately. Might it be something in the apache configuration? Any suggestions would be much appreciated
Here are two options you can try
Option 1
Make sure the group is www-data on '/var/www'.
prompt> sudo chgrp www-data /var/www
Make '/var/www' writable for the group.
prompt> sudo chmod 775 /var/www
Set the GID for www-data for all sub-folders.
prompt> sudo chmod g+s /var/www
Your directory should look like this on an 'ls -l' output.
drwxrwsr-x
Last, add your user name to the www-data group (secondary group).
prompt> sudo useradd -aG www-data [USERNAME]
Option 2
Use the mod_userdir as described in https://httpd.apache.org/docs/2.4/mod/mod_userdir.html
I would recommend the first option as it suits your needs better.
I have a question about the exec function on PHP 7.0.
I write a shell script to copy/sync the files and log the details into a log file, everything happens in the tmp folder.
# /tmp/data
drwxrwxr-x 4 root www-data 4096 Apr 4 00:00 data
# /tmp/data/data.log
-rwxrwxr-x 1 root www-data 9551 Apr 4 04:19 sync.log
I tried to login as www-data user for testing the shell script, and it works fine via command line but it's not good with PHP exec as below:
exec('sh /var/www/sync.sh');
I tried to dump the data and I am sure that I can touch the .sh file.
Is there anyone have ideas about this issue?
Thanks.
So this is my code for the raspberry pi to get a still shot from the raspicam and save it on a directory,
<?php
exec('raspistill -n -hf -o /var/www/img/image.jpg --timeout 1');
?>
I have given the ownership and the permission to read/write in that forlder using -R. so my ls -al in /var/www is this
drwxr-xr-x 3 www-data www-data 4096 Jun 19 08:05 .
drwxr-xr-x 12 root root 4096 Jun 19 05:54 ..
-rwxrwxrwx 1 www-data www-data 74 Jun 19 08:30 getImg
drwxrwxrwx 2 www-data www-data 4096 Jun 19 09:21 img
-rw-r--r-- 1 root root 70 Jun 19 10:07 index.php
getImg is the script i tried to run the script as a file like shell_exec('/bin/bash ./getImg'); that also doesn't work.
i have added /bash/bin and tried to run the script without using the script file too but that doesn't get the results.
How ever when i try to run the php file in the terminal, it creates the image as it normally should. So i figure this must be a permission issue, but what else should i do with the permissions? I have given all the rights to the directory.
EDIT
So I have found a workaround to this. since I don't know what the cause for the problem, i'd not mark this as an answer, but please vote it to appear at the top.
I now execute the script using the cgi scripts. I have created a shell script in the /usr/lib/cgi-bin/
#!/bin/bash
echo "Content-type:text/html\n"
sudo raspistill -vf -n -o /var/www/img/image.jpg --timeout 1200 --metering matrix
echo "Status: 204"
I saved this as capture and made this executable, did nothing with the permissions though.
sudo chmod +x capture
now when i open the link http://192.168.1.85/cgi-bin/capture the browser will still get me a 500 internal server error message. how ever, the image would still be created.
I would now need to get the 500 internal server error to be fixed.
[I'd add this as a comment but don't have enough points for it]
if you use the optional parameters $output and $return_var to capture the output and return value what do you get?
string exec ( string $command [, array &$output [, int &$return_var ]] )
does your command rely on environment variables that may be available when you run it as your user but not as www-data? (you can use the env command to check that)
does it still work if you run it via terminal after switching user to www-data?
When I try to shell_exec('/home/user/scripts/./script') I get the following error:
terminate called after throwing an instance of 'boost::filesystem3::filesystem_error'
what(): boost::filesystem::create_directory: Permission denied: "/.script"
Aborted (core dumped)
shell_exec('whoami') returns www-data on my web-facing php script.
The permissions to the directory and file are exactly the same:
-rwxrwxr-x 1 user123 group456 8246 Jun 25 06:10 script
drwxrwxr-x 7 user123 group456 4096 Jul 10 14:54 .
In fact I can shell_exec('touch /home/user/scripts/test') and it will create the file with no problem.
$ ls -l /home/user/scripts/test
-rw-r--r-- 1 www-data www-data 0 Jul 10 14:54 test123
This is how my groups are set up for each user:
$ groups user123
user123 : group456
$ groups www-data
www-data : group456
Why am I getting this error?
The script your running has a typo: it's trying to make the folder /.script in the root folder instead of ./script (relative path).
Are you trying to execute script at /home/user/scripts/./script then you should run as shell_exec('sh /home/user/scripts/script')
When you add ./ there on path its interpreted differently.
When you pass ./script - You are referring to filename script in current directory.
Also you are actually getting error from your c program which tells us your system is stopping apache to gain root privileges. You can audit2allow to let apache gain needed privileges.