i'm having problem writing to a text file using php. this might sound simple but i've set the file owner and group to apache/root, permission to 777 and i'm still unable to write to file. i'm running centos with php 5.3.8.
====================
New info
====================
semanage fcontext -l | grep httpd | grep rw
/var/lib/drupal(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/spool/gosa(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/lib/bugzilla(/.*)? all files system_u:object_r:httpd_bugzilla_script_rw_t:s0
/var/spool/viewvc(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
To allow the directory to be r/w, i used the chcon command to add the httpd_sys_script_rw_t type to the directory and anything under it:
chcon -R -t httpd_sys_script_rw_t <directory>
The -R flag makes the command recursive.
The -t flag sets the extended attribute on the file to the specified file context. In this case the httpd file context httpd_sys_script_rw_t which is used when:
you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
The appropriate file contexts to use for allowing HTTPd to write to disk (as well as booleans for other operations) are described in the httpd_selinux(8) man page.
Related
I have a php file that has a shell_exec call. The shell_exec functions runs a .sh file.
#!/bin/bash
filename=$(ls *.jpg -Art | tail -n 1)
codegen_dir=/usr/local/codegen/
cd "$codegen_dir"
out=$(./classifier /var/www/$filename)
echo $out
The executable 'classifier' exists in the codegen_dir and has 1 shared library dependency. The script runs correctly from the command line. The php file also runs correctly from the command line. however, when I run the php file as a http request I get the following in std_err:
"./classifier: error while loading shared libraries: libreader.so: cannot open shared object file: No such file or directory"
The .so file is in the same directory as the executable
My php server root is : /var/www
All files in the server root have the permissions:-rwxrwxrwx 1 www-data www-data
All files in 'codegen_dir' have the permissions: -rwxrwxrwx 1 ubuntu www-data
I am able to read other files in the codegen_dir
Shared libarary path might be not accessible by apache user. You can allow classifier program in sudoers file for apache and use sudo to run classifier application as apache user
Or
make shared libraray and its path accessible by all users by changing its permission
out=$(sudo ./classifier /var/www/$filename)
Try to login with apache user and run above script or try to access shared lib
su -s /bin/bash apache
I understand the security implications of 777. This is just a troubleshooting measure.
Parent folder:
drwxrwxrwx. 3 web www-data 22 Jun 5 11:04 library
For good measure the immediate parent is also 777.
PHP is running as apache:
print shell_exec( 'whoami' );
Returns apache which is a member of the www-data group:
# groups apache
apache : apache www-data
The mkdir command fails:
mkdir("/var/www/html/library/temp__9pa2spj13nkiatknv8odqrv3n0");
Warning: mkdir(): Permission denied in /var/www/html/test.php
If I try to chdir to the directory first, I can getcwd() and it's correct. If I try to create the directory at that point if fails.
I'm out of ideas on what to test.
Here's my entire test script for good measure:
<?php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);
print shell_exec( 'whoami' );
mkdir("/var/www/html/library/temp__9pa2spj13nkiatknv8odqrv3n0");
chdir("/var/www/html/library");
echo getcwd();
mkdir("temp__9pa2spj13nkiatknv8odqrv3n0");
By default SE Linux should be configured to block writes to any files by the web server (Apache). The httpd_sys_content_t shows that the directory is set to read only. You need to set it to read/write by using the httpd_sys_rw_content_t context. This can be done using the semanage tool. The command would look like this.
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/library(/.*)?"
After you set that policy, you can apply it by doing...
restorecon -Rv /var/www/
I have a function in PHP language to create an xml file when requested.
if(($file= fopen("./include/catalogo.xml", "w"))==false){echo 'non creo il file'; return false;}
"catalogo.xml" can't be created, permission denied. I know I should try to change permissions, but how can do this if the file doesn't exist? Or, are there things that I ignored?
I think you might be ignoring the permissions of the directory (./include).
I'm assuming you are running this PHP via a web-server and on Linux (like Apache for example) - in which case the user account that is trying to create the file will be 'apache' or 'www-data' (or whatever user your webserver is running under).
On your server - have a look at the permissions of ./include - you need to do one of two things:
a) make ./include world writable (so the 'apache' user can now create a file inside of it).
b) change the owner or group of the ./include to 'apache' so it can create a file inside of it.
Your PHP is fine - it's the permissions of the folder it is trying to create the file inside of that is not.
You have to change the ownership of the directory "include" and set it to the web server's user and set the permission to a reasonable value:
$ sudo chow www-data include
$ sudo chmod 755 include
If you don't know which user your web-server is running by you can open the include dir permissions world-wide:
$ sudo chmod 1777 include
after create the creation of catalogo.xml you check the include diretory:
$ sudo ls -al include
-rwxr-xr-x 1 http web 4096 May 5 15:37 catalogo-xml
Now you can change the ownership of the directory "include" and set it to the web server's user (http) and reset the permission to a reasonable value:
$ sudo chow http include
$ sudo chmod 755 include
See also the manual of chmod, chown and ls:
$ man chmod
$ man chown
$ man ls
If you use the terminal and go to the parent of folder your file will be created in, which is the parent of the include folder and type in the command:
chmod 777 include
This should change the permissions of this folder so you won't receive the permission denied error anymore. If you do try this command:
chmod -R 777 include
I have recently installed FC13 and am attempting to write a mechanism in my PHP code that caches gathered data into a specific directory (for our purposes here, let's call it /var/www/html/_php_resources/cache).
I copy my files over to the /var/www/html directory and then run chown -R apache:apache /var/www/html/* and chmod a+w /var/www/html/_php_resources/cache on the new data. For right now I am just using the global write permission for convenience. I will tweak the permissions later.
When I attempt to use the chmod or mkdir PHP functions I wind up with:
Warning: chmod(): Permission denied in /var/www/html/_include/php/CacheInit.php
or
Warning: mkdir(): Permission denied in /var/www/html/_include/php/CacheInit.php
Now, when I disable SELinux everything works just fine. The problem is that I would prefer not to disable SELinux and actually get the permissions set up correctly so that I can port it over to servers where someone does not have such explicit control.
As an example: my personal site host allows me to set read/write permissions on directories but will not allow for SELinux policy changes.
FYI:
uname -r = 2.6.34.7-56.fc13
*php -version * = PHP 5.3.3
rpm -qa | grep httpd = httpd-2.2.16-1.fc13
Does anyone have any suggestions?
I had the same problem, trying to mkdir from php. Not so much information on google but this is what I found and I guess this is the correct solution. One have to label the dir in which apache should create directories.
Label should be "httpd_sys_script_rw_t" and I found that info here: http://docs.fedoraproject.org/en-US/Fedora_Core/5/html/SELinux_FAQ/index.html#id672528
Here's how to label the dir: chcon -R -t httpd_sys_script_rw_t <dir>
Reference somewhere here: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0017.html
Hope this help someone out there.
When I use chmod() to change permissions at run time, it gives me the below message:
Warning: chmod() [function.chmod]: Operation not permitted in /home/loud/public_html/readalbum.php
How can I remove this error and make the chmod function work?
$ sudo chmod ...
You need to either be the owner of the file or be the superuser, i.e., user root. If you own the directory but not the file, you can copy the file, rm the original, then mv it back, and then you will be able to chown it.
The easy way to temporarily be root is to run the command via sudo. ($ man 8 sudo)
In order to perform chmod, you need to be owner of the file you are trying to modify, or the root user.
This is a tricky question.
There a set of problems about file permissions. If you can do this at the command line
$ sudo chown myaccount /path/to/file
then you have a standard permissions problem. Make sure you own the file and have permission to modify the directory.
If you cannnot get permissions, then you have probably mounted a FAT-32 filesystem. If you ls -l the file, and you find it is owned by root and a member of the "plugdev" group, then you are certain its the issue. FAT-32 permissions are set at the time of mounting, using the line of /etc/fstab file. You can set the uid/gid of all the files like this:
UUID=C14C-CE25 /big vfat utf8,umask=007,uid=1000,gid=1000 0 1
Also, note that the FAT-32 won't take symbolic links.
Wrote the whole thing up at http://www.charlesmerriam.com/blog/2009/12/operation-not-permitted-and-the-fat-32-system/
You, or most likely your sysadmin, will need to login as root and run the chown command:
http://www.computerhope.com/unix/uchown.htm
Through this command you will become the owner of the file.
Or, you can be a member of a group that owns this file and then you can use chmod.
But, talk with your sysadmin.