I have a PHP file, hook.php, that looks like this:
<?php
`cd .. && git pull`;
The file is located in /var/www/oliverash.me/site/. However, the git repository that needs to be pulled is /var/www/oliverash.me/. ./site is the folder Apache looks to as the document root.
When I run the file in my browser, it does not seem to be pulling the repository.
I have also tried to echo the result, but the page is blank.
<?php
echo `cd .. && git pull`;
I can't post a comment in reply to you, but I am assuming that you are running a *nix system. You will be getting a permission denied if your apache/php daemons don't have permission to access .git/. You can change the owner/group of the .git/ directory recursively. Or do a chmod -R o+rw .git/* to give everyone (ie, not owner, not group) access to read and write in the git directory, which should clear up the permissions error that you are getting.
EDIT
Just re-read the question, so what follows probably isn't needed, but leaving it just in case.
Though, doing that, you need to keep in mind that anyone with access to your server will be able to go to http://myurl/.git/ etc to access those. So as a security precaution, I would add a .htaccess file like:
order deny, allow
deny from all
in the.git directory so that apache will deny access from a web browser to everything in there.
You've certainly got a permissions issue, maybe a couple.
The php page is going to execute as the apache user
That user must be able to write to the git repo in question
That user must be able to do the pull in question
You didn't specify what the source of the pull is, but if it's, for instance, a git: or ssh: repo, then that user will need perms (keys, username/password, whatever) to access the remote to do the pull from.
Just saw that it wants /var/www/.ssh - so you're using a ssh:// remote, which is fine, but since it's running as user apache (/var/www is user apache's homedir), it's looking for keys in /var/www/.ssh, which it's not finding, hence the failure. Solutions:
use sudo to switch to a user that does have perms and run the git pull as that user (in your php, do 'sudo git pull', and in your /etc/sudoers put a line allowing user apache to run the 'git pull' command)
set up a .ssh/config file that specifies a Host that's the remote, a User to use to login, and an Identity that is the path to the private key that the remote will allow to ssh in and do the pull.
create webhook.php in the root or anywhere from where you can access it
$result = exec("cd /path/to/repo && git pull origin branch");
make sure the permission is 775 and user of your file and your site directory is www-data owner
You are having a problem with the user here that is executing the command.
According to your various comments, the system commands are executed as the user named apache (homedir is /var/www). You can verify this by running the whoami command from within your PHP script:
<?php echo `whoami`;
That user named apache is commonly the user your webserver runs under, which then runs PHP which then runs the shell commands.
Obviously you want to run the command as some other user, but you have not shared so far the information which one.
Run the shell command under the right user and the problem should go away.
On a linux system, the command to run other commands under a different user is called sudo, another one su:
sudo(8) - Linux man page
su(1) - Linux man page
Alternatively you can make use of suexec to execute PHP under a different user than the webserver user.
In any case you need to ensure that you have a user that is able to execute the git command. I have no clue how you tested that on your own, best way I know is to ssh into the server box, do the git pull manually and collect the needed data like user-name, homedirectory etc. .
Related
I have been searching for an answer to this for a couple of hours with no clear answer.
I normally write .php scripts which do helpful administrative tasks on my website. I upload them to an ftp folder, and run them from my browser when I need them.
Unlike what I a used to, I am trying to run a script (someone else wrote it) to and have been told that I cannot do so from the browser and I need to do it from the command line. Basically everything is set up, but I cannot push to go button and run the script.
Any ideas? I have php installed on my local computer and can run scripts locally from browser and command line, but I do not know how to do the same for the scripts on my website.
I don't know if this helps, but my server is apache and runs off php version 5.3.3
Download Putty, from http://www.putty.org/
Run it
In "host" write your domain, and click on Open
When the black window open, it will ask you for your credentials:
Write your ssh credentials, if you have. If you dont, try with the ftp user and password.
If it doesn't work...get into your host control panel, and find out how to create an SFTP, or SSH user. If you can't find anything, contact support asking how to create that kind of user. When you have it
After you login, your are inside your server, and you can move around, as you would in linux. If you dont know the basics, find a good tutorial. Or just relay in:
ls : list the files and directories
pwd : know in what directory you are
cd DIRNAME : change to other directory inside de current one
cd .. : change to the parent directory
When you are in the directory where your script lives, just execute:
php yourscrip.php
if its a php script
php path_to_script.php
else
/path/to/script
If its the second option you will need to chmod +x /path/to/script first
These should all be run from a ssh session (or any other way of accessing a command line on the machine running the website)
to ssh to a sever use putty if on windows. Your host will be able to give extra details on how to access
I'm trying to use this Dagon Design PHP form to help a local non-profit publication enable their readers to submit photos. I've got the "mailer" part working -- the notifications work fine -- but the "saving a file to a folder" part isn't functioning.
On the form page, the author says "the directory must have write permissions," but I'm not sure "who" is writing to that folder -- is this PHP script considered "Owner" when it saves something on my site? Or do I need to allow save permissions for Owner, Group and Others?
I'm not sure why the script isn't saving the photos, but this seems like a good place to start. I've tried looking around on Stack for answers, but most questions seem to have to do with folder creation/permissions.
The page I'm clumsily trying to build is here, if that helps.
As Jon has said already, you don't want to allow write access to everyone.
It's also possible (depending on the hosting) that something like suEXEC is being employed - which will cause your PHP script to run as a user other than the webserver's (as reported by Dunhamzzz).
Probably your best approach, in my opinion, is a script calling whoami:
passthru('whoami');
Or alternatively you could try:
var_dump(posix_getpwuid(posix_geteuid()));
Bear in mind, this does give system information away to the world - so delete the script once you've used it!
Then, as you've correctly asserted in your question, it'll likely be the file permissions.
If you do have CLI access, you can update the permissions safely as so (first command gets the group)
id -n -g <username>
chmod 770 <directory>
chown <username>:<group> <directory>
(You may have to pre-pend "sudo" to the "chown" command above, or find other means to run it as "root"..., reply back if you get stuck.)
If you've not got access to run command-line, you'll presumably be doing this via a (S)FTP client or the alike. I'm afraid the options get a little to broad at that point, you'll have to figure it out (or reply back with the client you're using!)
As always, YMMV.
Finally, bear in mind if this is your own code, people will at some point try uploading PHP scripts (or worse). If that directory is accessible via a public URL ... you're opening the hugest of security holes! (.htaccess, or non-document root locations are your friend.)
If you are not sure how is your server configured (and this would influence who's the final file owner) then add write permission to anyone (chmod a+w folder), upload one file and ls -l to see the owner. Then you can adjust permissions to allow write access to certain users only
The PHP script that saves the files is running with the privileges of some user account on the server; the specific account depends on your OS and the web server configuration. On Linux and when PHP is running as an Apache module this user is the same user that Apache runs as.
Solving your problem reduces to determining which user account we are talking about and then ensuring that this user has permission to write to the save directory (either as owner or as a member of the group; giving write access to everyone is not the best idea).
You'll need to set the permissions of the directory to that of the webserver (probably Apache, nginx or similiar), as that's what is executing the PHP.
You can quickly find out the apache user with ps aux | grep apache, then you want to set the permssions of the upload directory to that user, something like this:
chown -R www-data:www-data images/uploads
I am currently over ssh on a remote CentOS 5.6 system which runs an Apache webserver. I need to use the poppler pdftohtml binary which, unfortunately, is not currently installed on that machine. So I downloaded the poppler package and built it under my user folder. Since I I am not the system admin, I didn't do
make install
and I have all my compiled files under
/users/myfolder/poppler-0.18.2/
The file that I need to execute through php shell_exec() is
/users/myfolder/poppler-0.18.2/utils/pdftohtml
If I execute it through my ssh bash, I get the correct output. If I, instead, put this line on a php script:
echo shell_exec("/users/myfolder/poppler-0.18.2/utils/pdftohtml");
I get the following output:
sh: /users/myfolder/poppler-0.18.2/utils/pdftohtml: Permission denied
I tried setting to 777 the file permissions, which currently are -rwxrwxrwx. I also noticed that using shell_exec("whoami"); results in "apache". Shouldn't apache be able to execute the script if the file permissions are -rwxrwxrwx?
I also know that installing poppler through make install would solve the problem but since this is for testing purpose, I would like to avoid "contaminating" the system outside my personal folder until the testing is complete.
Thanks to anyone who will help!
Just because a file is executable for a user does not mean that user is actually able to execute the file. The user needs to also be able to 'get to' the file: The user needs execution permission for all 'parent directories', in your case for /users, myfolder, poppler-0.18.2 and utils.
Assuming /users is the same basic thing as /home, everybody should have +x on that. From there, you can set it: simply do chmod o+x /users/myfolder /users/myfolder/poppler-0.18.2 /users/myfolder/poppler-0.18.2/utils
(Note: This will make it possible for everybody to execute this binary, not just Apache.)
If the apache user and you share a group, it would be better to use chown the poppler directory and everything in to be owned by that group, and set g+x instead of o+x.
Given a script test.php that has the contents:
#!/usr/bin/php
<?php
echo exec('whoami');
chmod('test.txt', 0755);
and a plain text file test.txt in the same directory as itself, it works fine if the user who created those files runs the script. However, if I do something along the lines of:
chown apache:apache test.php test.txt
chmod 4775 test.php
That gives the test.php the ability to run as the 'apache' user, no matter who's running it. But when I run it in that context, I get a "Warning: chmod(): Operation not permitted" error. And the user that gets echoed by the "whoami" command is the generic user, not the 'apache' user.
So, is there a way to allow a PHP script to run as a particular user, other than granting users sudo access to run the script as 'apache'?
So, is there a way to allow a PHP script to run as a particular user, other than granting users sudo access to run the script as 'apache'?
You must be missing something. Either you allow apache to execute the file under a different user (sudo/suexec) or not. However, this is merely configuration. So you should first decide what you want to achieve and then configure the server as needed.
So if you want to run the PHP script under a particular user, you do this with making use of the sudo functionality and specifying the user. Apache will then execute the script under that configured user.
If you do not like to make use of sudo then, well, then there is no other option then to run the script under the user that runs apache or apache has been configured to use for invoking the scripts.
So make your decision what you want to achieve. But if you want to change the user, the only way I'm aware of (probably there's something else as well but I doubt it) is making use of the apache sudo feature(s).
I have two scripts.
running an update and calling shell_exec('svn update') and shell_exec('svn st')
running a mysqldump shell_exec('mysqldump params')
The svn script is not running the update command, the svn st is printing results but not the svn update
I tried to declare parameters when calling svn update eg
'svn update ' . dir . ' --username myuser --password mypasswd --non-interactive';
-- still nothing
Played with most of the params
If this is something related to binaries/permissions/groups, I don't see it.
The mysqldump command works fine and is producing a file, so why isn't the svn updating the filesystem?
Please do not advise using core SVN classes in PHP. This is not an option, I don't have complete control over the server and the module is not available.
Thanks for your help,
-hbt
PS: important thing to mention here. The scripts works when called via the command line. It only fails when called via a web browser.
I was also encountering the same problem but not even permissions solved it.
Based on some of the other advice here, I did:
<?php
echo shell_exec('2>&1 svn update /path/to/checked/out/directory/ --non-interactive');
I then got an error dumped into my browser:
svn: warning: Can't open file '/root/.subversion/servers': Permission denied
svn: OPTIONS of 'http://my.svn.server/svn/project/trunk': authorization failed: Could not authenticate to server: rejected Basic challenge (http://my.svn.server)
Not sure why my web server user tried to access /root but I fixed the problem without changing any permissions by adding --config-dir to the svn up command:
<?php
echo shell_exec('2>&1 svn update /path/to/checked/out/directory/ --non-interactive --config-dir /path/to/my/home/.subversion');
*Note that /path/to/my/home/.subversion exists because the initial checkout was done on the command line
to get the standard error in the return value use :
shell_exec('2>&1 svn update')
it doesn't work if you put the 2>&1 at the end
It might be permission problem: script called via a web browser runs under different username than svn working directory's owner, therefore it has read-only access. Read-only access should be enough for svn status to execute, but not for svn update (though in this case there should be an error like "svn: Can't open file '.svn/lock': Permission denied").
Have you tried the PECL svn extension? You don't need to use shell_exec for this.
OK. I got it.
It is an issue with permissions. The .svn directory must have the right permissions because the svn update command is using those directories to write stuff.
So!
---Make sure you run all chmod commands as sudo or root----
run a chmod 777 on .svn directory
run an svn update via command line
call script
If nothing. You must run chmod 777 recursively for all .svn directories then run another svn update
Still nothing?
Make sure you don't have two svn clients
In my case, the svn client used by the UI is different from the svn (command line)
If you have two clients, make sure they are running the same version
Or update your script to call the client directly.
Still nothing?
Run a chmod 777 -R *
svn update
and try again
If you can make it work with another set of permissions, please let me know. I know that 777 is not ideal, but I can't make it work with something lower.
Thanks again guys.
Yes, the problem is the permissions with the .svn directory.
Make sure it has the correct permissions for the user that PHP is running as (in my case it was apache) and chmod it to 775.