I have a BitBucket account, and it will trigger a script on my sever that will pull and update the live server when a push is made. The trigger works, and after having a lot of troubles getting the _www user to trust the hgrc or whatever (I did get that working), it's actually doing the command.
The problem is I get an error about not being able to lock the folder, which means that my _www user doesn't have permission to the .hg folder.
What's a good way to approach this? I don't want to make the .hg folder 0777. I could put _www in the same group as my user (which I believe it is) and give the group rw (what is that, 0775?). Would that be acceptable, or are there other security implications I might be missing, or a better way to handle this.
I was I could run the command with my user. And maybe I can. BitBucket is using a POST service to post to my server and I do the command via PHP's shell_exec() (it only runs the command if the request came from BitBucket's IP).
[Update] I went ahead and tried setting the permissions to 0775, and it still didn't work (_www isn't in the same group as my user). Same error, which is:
abort: could not lock repository /path/to/local/repo: Permission denied
You've got the right idea with the groups stuff. You need to:
make sure the www user is in the same group as the group that owns everything in the .hg directory
make sure everything in the .hg directory is write-able by group (chmod -R g+w .hg)
If any other users besides www will be pushing/pulling/updating in that repo then you'll also want to use the sticky-group-bit to make sure that newly created files and directory have the same group ownership as the .hg directory itself.:
find .hg -type d | xargs chmod g+s
Your first paragraph is not entirely clear, but have you tried changing the .hgrc file on the live server, adding:
[trusted]
users = _www
groups = _www
Related
I am trying to write a query to a file for debugging. The file is in database/execute.php. The file I want to write to is database/queries.php.
I am trying to use file_put_contents('queries.txt', $query)
But I am getting
file_put_contents(queries.txt) [function.file-put-contents]:
failed to open stream: Permission
denied
I have the queries.txt file chmod'd to 777, what could the issue be?
Try adjusting the directory permissions.
from a terminal, run chmod 777 database (from the directory that contains the database folder)
apache and nobody will have access to this directory if it is chmodd'ed correctly.
The other thing to do is echo "getcwd()". This will show you the current directory, and if this isn't '/something.../database/' then you'll need to change 'query.txt' to the full path for your server.
You can make Apache (www-data), the owner of the folder:
sudo chown -R www-data:www-data /var/www
that should make file_put_contents work now. But for more security you better also set the permissions like below:
find /var/www -type d -print0 | xargs -0 chmod 0755 # folder
find /var/www -type f -print0 | xargs -0 chmod 0644 # files
change /var/www to the root folder of your php files
There's no need to manually write queries to a file like this. MySQL has logging support built in, you just need to enable it within your dev environment.
Take a look at the documentation for the 'general query log'.
This can be resolved in resolved with the following steps :
1. $ php artisan cache:clear
2. $ sudo chmod -R 777 storage
3. $ composer dump-autoload
Hope it helps
I know that it is a very old question, but I wanted to add the good solution with some in depth explanation. You will have to execute two statements on Ubuntu like systems and then it works like a charm.
Permissions in Linux can be represented with three digits. The first digit defines the permission of the owner of the files. The second digit the permissions of a specific group of users. The third digit defines the permissions for all users who are not the owner nor member of the group.
The webserver is supposed to execute with an id that is a member of the group. The webserver should never run with the same id as the owner of the files and directories. In Ubuntu runs apache under the id www-data. That id should be a member of the group for whom the permissions are specified.
To give the directory in which you want to change the content of files the proper rights, execute the statement:
find %DIR% -type d -exec chmod 770 {} \;
.That would imply in the question of the OP that the permissions for the directory %ROOT%/database should be changed accordingly. It is therefor important not to have files within that directory that should never get changed, or removed. It is therefor best practice to create a separate directory for files whose content must be changed.
Reading permissions (4) for a directory means being able to collect all files and directories with their metadata within a directory. Write permissions (2) gives the permission to change the content of the directory. Implying adding and removing files, changing permissions etc.. Execution permission (1) means that you have the right to go into that directory. Without the latter is it impossible to go deeper into the directory. The webserver needs read, write and execute permissions when the content of a file should be changed. Therefor needs the group the digit 7.
The second statement is in the question of the OP:
find %DOCUMENT_ROOT%/database -type f -exec chmod 760 {} \;
Being able to read and write a document is required, but it is not required to execute the file. The 7 is given to the owner of the files, the 6 to the group. The webserver does not need to have the permission to execute the file in order to change its content. Those write permissions should only be given to files in that directory.
All other users should not be given any permission.
For directories that do not require to change its files are group permissions of 5 sufficient.
Documentation about permissions and some examples:
https://wiki.debian.org/Permissions
https://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions
http://www.linux.org/threads/file-permissions-chmod.4094/
Gathering info from this link stackoverflow-image save doesn't work with chmod 777 and from user azerafati and Loek Bergman
if you were to look under /etc/apache/envvars file you will see something like:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
Apache is run under the username 'www-data'
'0755' means the file owner can read/write/execute but group and other users cannot write. so in ur terminal, cd to the folder containing your 'images' folder. then type:
find images -type d -exec chmod 0755 {} \;
find images -type f -exec chmod 0755 {} \;
sudo chown -R www-data:www-data images
you must change persmissions first before changing owner.
enter your password when prompted. this will make 'www-data' owner of the images folder.
your upload should now work.
I use a shared Linux hosting, when my admin changed the php to 5.3 I got many errors for the "file_put_contents" code. try to test my plan:
In your host create a file like mytest.php, and put this code in and save:
<?php mail('Your-EMail','Email-Title','Email-Message'); ?>
Open the URL "www.your-domain.com/mytest.php" one time and then check your email. You should have an email from your host with the information you entered in mytest.php, check the sender name. If it's from Nobody you have problem about "Permission Denied" because something not defined and if the sender name is like my id: iietj8qy#hostname5.netly.net you don't have a problem.
My admin changed the server and installed the host again I think and the problem got solved, tell your host administration what I told you and maybe they find the answer.
If you are pulling from git from local to server, you will need to clear cache sometimes because of the view files it gets uploaded with it / or other cached files .
php artisan cache:clear
Sometimes it might just to the trick if your application was working before the git pull
this might help. It worked for me. try it in the terminal
setenforce 0
For anyone using Ubuntu and receiving this error when loading the page locally, but not on a web hosting service,
I just fixed this by opening up nautilus (sudo nautilus) and right click on the file you're trying to open, click properties > Settings > and give read write to 'everyone else'
use this cammand to give permission for storage/framework and logs
sudo chmod -R 777 storage/logs storage/framework
if you still have a permission error
try this to give group to write in log
sudo chmod g+w storage/logs
had the same problem; my issue was selinux was set to enforcing.
I kept getting the "failed to open stream: Permission denied" error even after chmoding to 777 and making sure all parent folders had execute permissions for the apache user. Turns out my issue was that selinux was set to enforcing (I'm on centos7), this is a devbox so I turned it off.
I ran into the same issue, I'm using Laravel, so what I just did was:
php artisan view:clear
And fixed!
I stopped the virus scanner (Avast). That solved the problem! It eventually appeared that Avast had a ransomware shield blocking the write actions to the documentroot folder(s). Adding the shield exceptions for the individual programs (PHP, Tesseract) solved the issue!
Here the solution.
To copy an img from an URL.
this URL: http://url/img.jpg
$image_Url=file_get_contents('http://url/img.jpg');
create the desired path finish the name with .jpg
$file_destino_path="imagenes/my_image.jpg";
file_put_contents($file_destino_path, $image_Url)
There 2 way to resolve this issues
1. use chmod 777 path-to-your-directory.
if it does not work then
2. simply provide the complete path of your file query.txt.
Furthermore, as said in file_put_contents man page in php.net, beware of naming issues.
file_put_contents($dir."/file.txt", "hello");
may not work (even though it is correct on syntax), but
file_put_contents("$dir/file.txt", "hello");
works. I experienced this on different php installed servers.
So I have a PHP file located in /var/www/html/test.php and I have it run the code shell_exec('touch /home/pi/Desktop/test_file')
However, the webpage displays fine but when I check the apache log files, I always get permission denied. I understand that apache is running as www-data user and my main user pi probably have some permission clash (I'm new to this stuff).
I tried many options I found on-line, the most promising was here, which suggested I run the commands:
sudo chown -R pi:www-data /home/pi/Desktop
sudo chmod -R g+s /home/pi/Desktop
...but I still get permission denied. Can anyone please suggest what permissions I may need to still configure? I want to ensure security, but at the same time need my PHP file to be able to create new files. I used the Desktop as an example directory, but really I don't care which directory, I just need a directory. I tried touching a file within /var/www/html, but that was permission denied as well. Thanks!
if your apache process is running as www-data, and the file ownership is pi:www-data, you probably need to run this chmod:
sudo chmod -R g+w /home/pi/Dekstop
First, setting the group as www-data won't matter if the files are not group writable. Mode 755 will ensure apache can read the files, but the www-data user would still not be able to write.
Secondly, using "g+w" adds group write without messing with any of the other bits. [644 becomes 664, and 755 becomes 775)]. This way you can safely adjust permissions recursively, without making files executable that shouldn't be.
Incidentally, sudo chmod g+s ... is probably not what you want. That will instead set the sgid bit, and not the group write bit.
First of all, why the heck are you using shell_exec to create a file? PHP has it's own touch() function that will do that for you. You can also create files just by opening a nonexistent file using certain modes (ie, fopen("myfile", "w"))
Using exec to create your files is surely messing with your permissions.
You need to find out which user PHP is running as and chown to that user. You can find that out by running get_current_user().
Then you need to change the permissions with chmod. There's an example in the comments so I won't repeat it. Good luck. Stop using shell_exec.
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
As the title suggests, I need the ability to create, move, and delete files and folders from php.
If I CHMOD all directories and files to 777, everything works great, but if I do 755 then the scripts die with errors about permissions.
From what I've read, using 777 permissions is insecure and should not be done. I have a VPS, but there are multiple users as I host a number of websites (some of which other people are in control of) and, regardless, I want to do whatever is the "best practice."
So, basically, what I'm wondering is how I should go about this? I'm new to php and "webmastering" and am not sure what to do.
Could anyone point me in the right direction?
One last note: In addition to being able to move and delete files that have been created from php, the scripts also need to move and delete files that have been uploaded via FTP from a Windows machine (I've noticed that by default when I upload files the CHMOD is 755).
EDIT: I it may be relevant for me to mention that I ran phpinfo() and found the following under the section "PHP Credits":
User/Group nobody(99)/99
Permissions are set for what the owner can do, what the owner's user group can do (the owner's peers in the same user group), and what everone else can do. That's what the 3 numbers are for: 753 is a "7" for the owner, a "5" for the group, and a "3" for everyone else. A "7" is full access (read, write, execute). A "5" is read and execute. You need write access to delete.
You should really read up on linux file permissions to see how they work.
I would recommend you use 775 or 770. The last digit is what anyone on the system or any shmoe browsing your site can do, so you want it as low as possible.
As far as your ftp script and your future other-users, just make sure they are in the same group as your apache user. Or, set up a group for those account you want to have access, and add your apache account to it.
In order to be able to manipulate files and directories without 0777 permissions, those files and directories need to be owned by the same user your PHP scripts run as.
You don't need to change things to 777, that gives the owner, group and guest all rights (read, write, execute). You can have it set to 755, or even 700 as long as the owner is whatever whatever the PHP process is running under. Typically this will be the Apache user, since the PHP script is running under the Apache process.
You don't need to give execute privs, but you need to give execute on the directories so that the process can do things like change directories (cd).
Nate, this relates to the basic 101s of UID and GID based access control. I am assuming that your "multiple uses" each have their own UIDs for FTP (and SSH?) access.
Typically files served by the webserver (Apache) must be read-accessible by the Apache child processes which will be running in www-data (or equiv) and hence must be o:r likewise any directories on the path to them must be o:e.
So you broadly have two options: (i) use a suEXEC / suPHP / FastCGI template to initiate PHP scripts in the UID of the owning directory, and (ii) run your scripts under mod_php5 and make any directories where you need script write-access owned by www-data.
This second approach is the most efficient in terms of machine resources, but it is terribly insecure as it in effect gives userA full R/W access to userB's resources and so on.
There's no way to square this circle. If you cannot guarantee shared trust between all users then you must read up on and implement a solution based on the (i) options.
Generally Folders should have 755 and files should have 644 permission set.
I'm facing this problem while working on PrestShop project.
Following PHP script solves my problem.
<?php
exec ("find /path/to/folder -type d -exec chmod 0755 {} +");
exec ("find /path/to/folder -type f -exec chmod 0644 {} +");
?>
I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.