Environment
PHP -V output: PHP 5.3.5-1ubuntu7.2 with Suhosin-Patch (cli) (built: May 2 2011 23:00:17) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cat /etc/issue output: Ubuntu 11.04
Apache2 -V ouput: Server version: Apache/2.2.17 (Ubuntu) Server built: Sep 1 2011 09:31:14
Browser About output: Firefox 6.0.2
PS -AUX Ouput
root 2943 0.0 0.3 206420 12428 ? Ss Sep19 0:20 /usr/sbin/apache2 -k start
www-data 18658 0.0 0.2 208552 11096 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18659 0.0 0.3 208976 12036 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18660 0.0 0.3 210532 12476 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18661 0.0 0.3 210276 11820 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 18662 0.0 0.2 206948 10236 ? S Sep25 0:00 /usr/sbin/apache2 -k start
www-data 20037 0.0 0.3 208976 12128 ? S 08:22 0:00 /usr/sbin/apache2 -k start
www-data 20039 0.0 0.3 209132 11748 ? S 08:23 0:00 /usr/sbin/apache2 -k start
www-data 20120 0.0 0.3 209004 12000 ? S 09:04 0:00 /usr/sbin/apache2 -k start
File Permissions
drwxr-xr-x 2 www-data www-data 4096 2011-09-26 15:24 .
drwxr-xr-x 4 www-data www-data 4096 2011-08-26 11:31 ..
-rw-r--r-- 1 root root 161976 2011-08-26 16:26 market.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test1.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test2.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test3.txt
-rw-r--r-- 1 root root 0 2011-09-26 14:55 test4.txt
-rw-r--r-- 1 root root 0 2011-09-26 15:02 test5.txt
Code
rename($file, "$dest/$file");
Question
When I run the above code on the files listed in the File Permissions section above, it properly moves the file from its current location to a new location and removes the original. How is this possible when apache2 is running as www-data and the files are owned by root and only have read access for non-root users? On the PHP documentation it says:
Warnings may be generated if the destination filesystem doesn't permit chown() or chmod() system calls to be made on files — for example, if the destination filesystem is a FAT filesystem.
Does rename() call either of those system functions during the process? If so, why? Not that it matters anyway as www-data should not be able to chown/chmod a file owned by root anyway.
Can anyone explain to me how this is occuring?
Additional Information
I have tried this with the PHP script owned by root and by www-data and it works.
I tried to provide as much pertinent info as possible but let me know if you need anything else.
Moves don't "remove" originals, unless the move takes place across filesystem boundaries. Within a single filesystem, a move simply rewrites the relevant directory entries so it APPEARS that you've copied/deleted the file, but all you've done is a bit of housekeeping. Since www-data owns the directories in question, it can rewrite the directory entries representing those files all it wants, and never touch the actual files.
When moving files you are not editing the files themselves, but rather the directory they are part of. In your case that directory is owned by www-data (the apache process)
Related
I want to generate a file by batch.php, which is linked to the button in this page:
<?php
echo "Hello world!";
'cat 123 > uploads/cat.txt';
echo "Bye world!";
?>
Clicking on the button does launch batch.php, however, cat.txt is NOT generated on the server side.
Does anyone know how to fix this? Maybe I need to setup some permission for the folder?
Edit 1:
ps aux|grep -E 'apache|www-data|http|php' returns:
root 12269 0.0 2.1 278256 10796 ? Ss Aug02 3:38 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 12301 0.0 0.8 97728 4044 ? S Aug02 3:27 nginx: worker process
www-data 12302 0.0 0.8 98104 4296 ? S Aug02 3:54 nginx: worker process
www-data 12303 0.0 0.9 97940 4520 ? S Aug02 3:46 nginx: worker process
www-data 12304 0.0 0.9 98132 4544 ? S Aug02 3:47 nginx: worker process
timur 14888 0.0 0.1 11712 932 pts/0 S+ 15:04 0:00 grep --color=auto -E apache|www-data|http|php
www-data 18748 0.0 8.7 298196 43668 ? S Sep07 0:12 php-fpm: pool www
www-data 18749 0.0 6.4 286660 32432 ? S Sep07 0:11 php-fpm: pool www
www-data 21100 0.0 8.3 296204 42048 ? S Sep05 1:02 php-fpm: pool www
ls -l returns:
total 20
-rw-r--r-- 1 root root 84 Sep 12 08:33 batch.php
-rw-r--r-- 1 timur timur 5120 Sep 12 09:00 generateFile.exe
-rw-rw-r-- 1 timur timur 138 Sep 12 08:28 index.html
drwxrwxrwx 2 timur timur 4096 Sep 12 15:03 uploads
I granted 777 to uploads, and I tried all the possible owner names and owner groups (ie, timur:timur, www-data:www-data and root:root), but none of them works...
The key is to write exec('cat 123 > uploads/cat.txt') or shell_exec('cat 123 > uploads/cat.txt') instead of 'cat 123 > uploads/cat.txt'.
Then, although drwxrwxrwx 2 timur timur 4096 Sep 12 15:03 uploads works, assigning 755 and www-data:www-data (reserved to PhP) to uploads is more correct.
I'm trying to install a PHP-based software package in a Red Hat 7 Amazon EC2 instance (ami-8cff51fb) that has had Apache 2.4.6 and PHP 5.4.16 installed on it using yum. The installation fails because it says a particular directory needs to be writable by the webserver with 0755 or 0775 permissions.
The directory in question has 0775 permissions with root:apache ownership. I have verified that the httpd process is being run by the apache user and that the apache user is a member of the apache group.
If I edit /etc/passwd to temporarily give the apache user a login shell and then su to that account, I am able to manually create files as the apache user within the directory using the touch command.
I took a look at the source code of the installer script and identified that it's failing because PHP's is_writable() function is returning false for the directory in question. I created a separate test PHP script to isolate and verify the behaviour I'm seeing:
<?php
$dir = '/var/www/html/limesurvey/tmp';
if (is_writable($dir)) {
echo $dir, ' is writable';
} else {
echo $dir, ' is NOT writable';
}
?>
This outputs the NOT writable message. If I change $dir above to be /tmp then it correctly outputs that /tmp is writable.
If I change the directory permissions to 0777 and/or change the ownership to apache:apache then PHP still reports that the directory isn't writable. I even tried creating a /test directory set up with the same permissions and ownership and my test script still reports it as not writable.
I'm really at a loss as to explain this behaviour, so any ideas would be welcome!
Thanks in advance.
The directory listing for /var/www/html/limesurvey is given below. The tmp and upload directories have 0775 permissions as per Lime Survey's installation instructions. test.php is my test script mentioned above.
[ec2-user#ip-xx-x-x-xxx limesurvey]$ pwd
/var/www/html/limesurvey
[ec2-user#ip-xx-x-x-xxx limesurvey]$ ls -al
total 80
drwxr-xr-x. 20 root apache 4096 Mar 30 11:25 .
drwxr-xr-x. 3 root root 23 Mar 25 14:41 ..
drwxr-xr-x. 2 root apache 38 Mar 10 12:56 admin
drwxr-xr-x. 16 root apache 4096 Mar 10 12:56 application
drwxr-xr-x. 3 root apache 4096 Mar 10 12:56 docs
drwxr-xr-x. 2 root apache 4096 Mar 10 12:56 fonts
drwxr-xr-x. 19 root apache 4096 Mar 10 12:56 framework
-rw-r--r--. 1 root apache 429 Mar 10 12:56 .gitattributes
-rw-r--r--. 1 root apache 399 Mar 10 12:56 .gitignore
-rw-r--r--. 1 root apache 296 Mar 10 12:56 .htaccess
drwxr-xr-x. 4 root apache 4096 Mar 10 12:56 images
-rw-r--r--. 1 root apache 6652 Mar 10 12:56 index.php
drwxr-xr-x. 5 root apache 39 Mar 10 12:56 installer
drwxr-xr-x. 89 root apache 4096 Mar 10 12:56 locale
drwxrwxr-x. 2 root apache 39 Mar 25 14:41 logs
drwxr-xr-x. 4 root apache 49 Mar 10 12:56 plugins
-rw-r--r--. 1 root apache 61 Mar 10 12:56 README
drwxr-xr-x. 4 root apache 4096 Mar 10 12:56 scripts
-rw-r--r--. 1 root apache 380 Mar 10 12:56 .scrutinizer.yml
drwxr-xr-x. 5 root apache 4096 Mar 10 12:56 styles
drwxr-xr-x. 5 root apache 4096 Mar 10 12:56 styles-public
drwxr-xr-x. 12 root apache 4096 Mar 10 12:56 templates
-rw-r--r--. 1 root apache 159 Mar 30 11:11 test.php
drwxr-xr-x. 3 root apache 20 Mar 10 12:56 themes
drwxr-xr-x. 26 root apache 4096 Mar 10 12:56 third_party
drwxrwxr-x. 5 root apache 80 Mar 26 13:45 tmp
drwxrwxr-x. 6 root apache 79 Mar 10 12:57 upload
Running namei -l /var/www/html/limesurvey/tmp gives:
[ec2-user#ip-x-x-x-xxx ~]$ namei -l /var/www/html/limesurvey/tmp
f: /var/www/html/limesurvey/tmp
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
drwxr-xr-x root apache limesurvey
drwxrwxr-x root apache tmp
After much head-scratching, it transpired that SELinux was preventing the directory from being written to. I found a good tutorial that explains what's going on. I was able to fix it by running this command:
sudo chcon -R -t httpd_sys_rw_content_t tmp
in CentOS 6 above should be SELinux enable enforcing
setenforce Permissive
check the status
sestatus
refer to https://wiki.centos.org/HowTos/SELinux
to write to a directory you also need execute permissions to the dirs above.
namei -l /var/www/html/limesurvey/tmp
should show which step you do not have the correct permissions for.
HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX tmp
sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX tmp
Taken directly from the Symfony2 installation guide, this solves the problem with cache write access sharing between Apache and CLI tools. This might work for your tmp directory as well.
is_writable by default only checks on the user, not the group.
So even if you group is matching and has permissions is_writable will return false.
To relax this check you will need to set
safe_mode_gid = On
in the PHP config or change the user accordingly.
i'm trying to run a windows7 php project in ubuntu 12.04. i give the correct paths as i saw from web console but the css file and other files aren't used. The errors that web console shows are the following:
GET http://192.168.1.3/webserver/css/myCSSfile.css [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/css/search.css [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/css/button.css [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/css/button2.css [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/js/resolutionfinder.js [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/js/changeInputValue.js [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/js/ajaxcalls.js [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/js/ajaxcalls.js [HTTP/1.1 403 Forbidden 0ms]
GET http://192.168.1.3/webserver/images/logo.jpg [HTTP/1.1 403 Forbidden 0ms]
Someone told me that i have to check the .htaccess file to make sure i allow access to the css,js and images subdirectories but i'm actually new in ubuntu and i'm a bit confused about it. I use apache2 if that helps. thank you for your time.
If i write ps -ef | grep apache on terminal the outcome is this
root 1058 1 0 20:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1067 1058 0 20:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1068 1058 0 20:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1070 1058 0 20:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1072 1058 0 20:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2431 1058 0 20:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2432 1058 0 20:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2433 1058 0 20:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2464 1058 0 20:35 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2465 1058 0 20:35 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2466 1058 0 20:35 ? 00:00:00 /usr/sbin/apache2 -k start
manos 2541 2485 0 20:36 pts/3 00:00:00 grep --color=auto apache
Also if i do cd cd /var/www and then ls -la
the outcome is this
total 12
drwxr-xr-x 3 root root 4096 Sep 21 23:16 .
drwxr-xr-x 14 root root 4096 Sep 23 13:04 ..
drwxr-xr-x 8 root root 4096 Sep 23 20:35 webserver
This could be caused by wrong file permissions
As what user is Apache running?
You can check it with (in the terminal):
ps -ef | grep apache (could also be running as 'httpd')
It might not have access to read/write the files of your project.
Check the file permissions in the
cd /var/www (or what directory you have)
ls -la
As Paul said the permissions in the root folder (/var/www) where wrong with this command everything is ok.
sudo chmod -R ugo+rw /var/www
explanation of command:
The breakdown of permissions looks like this:
u – user
g – group
o – other
The 'other' entry is the dangerous one, as it effectively gives everyone permission for the folder/file. The permissions you can give to a file or folder are:
r – read
w – write
x – execute
Using the -R switch is important. If you have a number of sub-folders and files within the SHARE directory, and you want the permissions to apply from the parent object (the containing folder) to the child objects (the sub-folders and files), you must use the -R (recursive) switch so the same permissions are applied all the way to the deepest folder, contained within the parent.
I have a working MVC framework using codeigniter. The codebase is located in /var/www/project,
where project follows the same structure as codeigniter. I have placed a info.php file under /var/www/project, which is the basic phpinfo() script. On typing
http://localhost/project/info.php
the page displays the information as it should.
My config.php under /var/www/project/application/config has been configured so that the [base_url] is : http://localhost/project
The 'project' is trying to connect to database : 'development' and the database.php has been configured properly ( afaik). On enabling the debug mode in database.php, it doesnt throw any error which makes me think that there is no issue as far as accessing the database is conerned( Though I can be wrong).
Also doing a ' ps aux | grep apache' shows:
root 14892 0.0 0.1 215404 9668 ? Ss 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14896 0.0 0.2 223404 17324 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14897 0.0 0.1 215896 7636 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14898 0.0 0.1 218964 11460 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14899 0.0 0.1 218956 11300 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14901 0.0 0.1 216020 7680 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14902 0.0 0.2 220268 13632 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14903 0.0 0.1 216412 8988 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14904 0.0 0.2 219756 13268 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 14905 0.0 0.2 223396 16840 ? S 17:25 0:00 /usr/sbin/apache2 -k start
www-data 15161 0.0 0.1 216008 7588 ? S 17:49 0:00 /usr/sbin/apache2 -k start
root 16184 0.0 0.0 7640 928 pts/1 S+ 18:55 0:00 grep --color=auto apache
Usually if apache is not given the root privilege, this sort of issue might occur, but here the privilege is root. I am not sure where am I messing up the configuration part.
Any suggestion will be appreciated.
Set:
$config['base_url'] = '';
And let us know if it changes anything in the output.
Also, if you're using cookies, set the $config['cookie_path'] = "/project";
I'm trying to write a script to create virtual host vor apache (CentOS 6.4 on AWS)
I tried on simple write:
$result = file_put_contents( '/etc/httpd/conf/vhosts/test.conf', 'teststring');
var_dump($result);
This is my permission and owner infomation:
-rw-r--r--. 1 apache apache 34445 Jan 16 11:08 httpd.conf
-rw-r--r--. 1 apache apache 13139 Aug 13 17:30 magic
drwxrwxrwx. 2 apache apache 4096 Jan 17 04:29 vhosts
But I still got this mesasge:
Warning: file_put_contents(/etc/httpd/conf/vhosts/test.conf): failed to open stream: Permission denied in /var/www/server-control/src/test.php on line 8 bool(false)
checking user by ps aux|grep httpd:
root 9804 0.0 0.0 246372 8712 ? Ss 03:57 0:00 /usr/sbin/httpd
apache 9808 0.0 0.0 247024 7972 ? S 03:57 0:00 /usr/sbin/httpd
apache 9809 0.0 0.0 248304 8644 ? S 03:57 0:00 /usr/sbin/httpd
apache 9810 0.0 0.0 247536 7872 ? S 03:57 0:00 /usr/sbin/httpd
apache 9811 0.0 0.0 247536 8020 ? S 03:57 0:00 /usr/sbin/httpd
apache 9812 0.0 0.0 247536 7876 ? S 03:57 0:00 /usr/sbin/httpd
apache 9813 0.0 0.0 247536 7948 ? S 03:57 0:00 /usr/sbin/httpd
Please help!! Some server I can write to that folder by just change owner to apache but this one is not.
I've Resolved this problem. Run ls -laZ and this is difference:
My local:
[root#localhost conf]# ls -laZ
drwxr-xr-x apache apache ? .
drwxr-xr-x apache apache ? ..
-rw-r--r-- apache apache ? httpd.conf
-rw-r--r-- apache apache ? magic
-rw-r--r-- apache apache ? ssl.crt
-rw-r--r-- apache apache ? ssl.key
drwxrwxrwx apache apache ? vhosts
EC2 Server:
[root#ip-172-31-0-37 conf]# ls -laZ
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 magic
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_config_t:s0 vhosts
That mean EC2 Server is under SELinux permission context
To resolve problem, I ran chcon -R --type=httpd_sys_content_t vhosts and ls -laZ again:
[root#ip-172-31-0-37 conf]# ls -laZ
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_config_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. apache apache system_u:object_r:httpd_config_t:s0 magic
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 vhosts
Difference is httpd_sys_content_t context on vhosts directory
Now apache can write to /etc/httpd/conf/vhosts
Please correct me if I did/understand anything wrong.