I currently manage 8 different sites for my organisation and built a central management website to help manage the content on them all.
I currently have a file uploader on the administration website that allows me to upload ZIP files to the server. This script then unzips the package, and moves the files to different parts of the server.
The problem is, when I upload files through the browser, it assigns ownership to apache (for both user and group). This causes me a problem when I try to overwrite the files using FTP.
I have tried to change the owner of the uploaded files as soon as they've been uploaded / moved, both with PHPs native 'chown' function and also using the exec function to run the linux command chown but both fail (PHPs native chown displays an 'operation not permitted' error)
So my questions:
1) Am I going about this the wrong way? (My knowledge of file ownership is limited)
2) Is there a reason why I shouldn't change file ownership?
3) Are there any work arounds?
If you would like any more information, please feel free to ask.
Many thanks
Phil
Current file details of file uploaded via browser:
[file].php permissions: adfr (0644) Owner: Apache Group: Apache
File details of file uploaded via FTP:
[file].php permissions: adfr (0644) Owner: [ftp login name] Group: psacln
I do something very similar of what you do but I dont use ftp, I use scp, part ssh. With this you can do something like this:
$> scp -rp /var/www/html/somedir/* 192.168.1.100:/var/www/html/somedir/.
This way with the p flag you tell the command to copy the files and preserve permissions, ownership, date stamps. The r flag creates subdirectories as needed and recursive copies.
Just like any other command you can place several lines of scp in a script to automatize, but to avoid password use ssh generated certificates among servers.
Related
I'm facing a problem with deleting video files from folder using php unlink() function , image are deleting but when trying deleting videos it says
unlink(file_path) : permission denied.
You (running your script as either through CLI or a webserver) need write access to the directory in which the files are located. so access to the file is not enough.
Your image directory would be different and writable for webserver or cli.
chmod("your/video/dir/path",0777);
try using above code before unlink the video in your script.
Edit: Looks like you are using Windows. Unfortunately, my answer is for Unix-like operating systems (so Linux, MacOS). You could try installing Bash extension for Win8+, but still I'm not sure if this would work. However, I'm keeping my answer in case of anyone with similar problem is looking here for an answer.
Changing permissions through PHP might work in some cases, but not always, because if you don't have permissions to delete the file you might also not have permissions to change them.
The best solution is to create a directory where you will keep files to which PHP will have full access. Let's call it dirname. Once you have created a directory, change its owner and group to the one corresponding to your web server user's name (if you're using Apache, it's "www-data"), for example: chown www-data:www-data dirname.
Once you've done that, change folder's permissions. My suggestion is 744, it will assure that user who owns it will have all permissions, and everyone else will be able only to read it. To do that, execute the following command: chmod -R 777 dirname.
Now you should be able to do anything you want with the files in given directory directly from PHP.
I am having a irritating problem concerning the permissions of files created by Wordpress.
When i download plugins using wordpress or uploading images, and even when a php script creates a dir/files it puts the permissions of this folder into a different user/group.
My user does has no access to this file/folder under my own ftp account.
Is there a way to change files/folders ownership created by apache/php/wordpress to my user ?
If you are using Ubuntu (I don't know if int other distros the files are in the same location) you can edit the file envvars located in /etc/apache2 and restart Apache.
If you can use ACL this is a better solution than changing the user for Apache, more info: https://help.ubuntu.com/community/FilePermissionsACLs
If you want to change the permissions from a php script, you could use the chown() function
This question is related to another question I wrote:
Trouble using DOTNET from PHP.
Where I was using the DOTNET() function in PHP to call a DLL I had written.
I was able to get it working fine by running php.exe example.php from the command line (with the DLL's still in the PHP folder).
I moved the php file to an IIS 7 webserver folder on the same machine (leaving the DLLs in the same php folder), but I keep getting a 500 internal service error.
I've checked the server logs (in c:\inetput\logs\ and in c:\windows\temp\php53errors) but there doesn't seem to be any relevant information about what caused the error. I even tried to change the php.ini settings to get more error feedback, but that doesn't seem to help.
I can only guess that the issue may be related to:
that php file not having the proper permissions (my dll does some file reading/writing)
php can't find the DLLs
The actual error I get is:
The FastCGI process exited unexpectedly.
Any idea on how to debug this problem?
The problem here is almost certainly related to file permissions.
When you run php.exe from the command line you run as your own logged-in user. When running a PHP script from IIS, in response to an http request, php.exe runs as a different user. Depending on your version of Windows it could be
IUSR_machine - on IIS6 and prior
IUSR on IIS7 and later
These users need permissions on the php file to be executed.
Read more about it
On IIS7 and later I use a command-line tool called icacls.exe to set the permissions on directories or files that need to be read by IIS and the processes it starts (like php.exe). This security stuff applies to all IIS applications: PHP, ASPNET, ASP-classic, Python, and so on.
IIS also needs to be able to read static files, like .htm, .js, .css, .jpog, .png files and so on. You can set the same permissions for all of them: Read and Execute.
You can grant permissions directly to the user, like this:
icacls.exe YOUR-FILE-GOES-HERE /grant "NT AUTHORITY\IUSR:(RX)"
You can also grant permissions to the group, to which IUSR belongs, like this:
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(RX)"
In either case you may need to stop and restart IIS after setting file-level permissions.
If your .php script reads and writes other files or directories, then the same user needs pernissions on those other files and directories. If you need the .php script to be able to delete files, then you might want
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(F)"
...which grants full rights to the file.
You can grant permissions on an entire directory, too, specifying that all files created in that directory in the future will inherit the file-specific permissions set on the directory. For example, set the file perms for the directory, then copy a bunch of files into it, and all the files get the permissions from the parent. Do this with the OI and CI flags (those initials stand for "object-inherit" and "container-inherit").
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
copy FILE1 DIRECTORY
copy FILE2 DIRECTORY
...
When I want to create a new vdir in IIS, to allow running PHP scripts, or ASPX or .JS (yes, ASP Classic) or Python or whatever, I do these steps:
appcmd.exe add app /site.name:"Default Web Site" /path:/vdirpath /physicalPath:c:\docroot
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
Then I drop files into the directory, and they get the proper permissions.
Setting the ACL (access control list) on the directory will not change the ACL for the files that already exist in the directory. If you want to set permissions on the files that are already in the directory, you need to use icacls.exe on the particular files. icacls accepts wildcards, and it also has a /t switch that recurses.
I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.
I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.
Im using Debian, apache2. Id like to know what could I do.
To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.
Thanks in advance
Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.
This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.
For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link
All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.
As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.
I have a PHP script that is accepting all emails (wildcard) to my domain, and inserting the data into MySQL.
The beginning of the script has this line:
#!/usr/bin/php -q
It then looks like a regular PHP script. The part that writes the attachments to disk seems to work but the permissions on the new folders where they're stored were created by the 'nobody' user.
How can I edit permissions so that after these files are written to disk, they can be accessed by the webserver/webserver user?
Thanks for the help!
(Fedora 14 Linux server, Postfix)
You can preform your file system operations by FTP so you will have the same permissions as your user.
its better then give all the PHP users on server access to your files.
http://php.net/ftp
What user is PHP running as? PHP does have a chmod function, but you can't elevate privileges higher than what the user PHP is running as.
If that doesn't do the trick, could you chown the attachment directory to be owned by whatever user PHP is running as?
I suggest you do the following:
chown -R apache:apache directory_name
This is because PHP runs as the web server user (I believe this is apache on Fedora). Otherwise, if you are using a different web server, then change the ownership of the files to that web server's user (you are sure to find this in the server's configuration files somewhere).
You need sticky bits on the file server level.
setting the sui/sgid bits