Permission denied despite appropriate permissions using PHP - php

I'm trying to read a file in PHP and I'm getting a permission denied error although everybody has read access to the file.
The PHP code:
$config=file_get_contents('/opt/jenkins/home/config.xml');
The error:
Warning: file_get_contents(/opt/jenkins/home/config.xml): failed to open stream: Permission denied in [...]
The filesystem permission:
There is a symlink pointing /opt/jenkins/home/ to /var/lib/jenkins and everybody has read permission on the symlink, actual folder, and file.
$ ls -lh /opt/jenkins/
lrwxrwxrwx 1 sysadmin sysadmin 16 2011-08-04 08:12 home -> /var/lib/jenkins
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
$ ls -lh /var/lib/jenkins/config.xml
-rwxr-xr-- 1 jenkins adm 3.9K 2011-08-04 10:05 /var/lib/jenkins/config.xml
Apache configuration
Configured to folllow symlinks (Options All). Adding a Directory directive for /var/lib/jenkins/ makes no difference.
<Directory /opt/jenkins/home/>
Options All
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
Additional info
Whether I use the path through the symlink ("/opt/jenkins/home/config.xml") or the real path ("/var/lib/jenkins/config.xml") I have the same problem.
apache2 version=2.2.14-5ubuntu8.4
php version=5.3.2-1ubuntu4.9
Any idea as to why I'm getting the error?

Your directory needs execute permission for this to work. It does not seem to have world execute, and since jenkins is probably not the apache user, and the apache user is not in the adm group, it wouldn't work:
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
Per example:
netcoder#netcoder:~$ mkdir foo
netcoder#netcoder:~$ echo hello > foo/bar
netcoder#netcoder:~$ chmod 777 foo/bar
netcoder#netcoder:~$ ls -lsah foo/bar
4.0K -rwxrwxrwx 1 netcoder netcoder 6 2011-08-04 08:22 foo/bar
netcoder#netcoder:~$ chmod 444 foo/
netcoder#netcoder:~$ ls -lsah | grep foo
4.0K dr--r--r-- 2 netcoder netcoder 4.0K 2011-08-04 08:22 foo
netcoder#netcoder:~$ cat foo/bar
cat: foo/bar: Permission denied
Even though foo/bar has 0777 permission, if the directory does not have the execute permission, reading its contents is denied.
You'll need the permission to be set for both the target directory and the symbolic link.

You need the execute bit set on all directories in the hierarchy up to that file.
chmod o+x /var/lib/jenkins
should do the trick.
(Note: ls -lhd /var/lib/jenkins is a bit better than ls -lh ...|grep jenkins)

Lots of modern boxes (digital ocean, rackspace etc) ship with SELinux (Security Enhanced Linux) for RedHat compatible OSs (like CentOS). This throws another wrench into the works which you need to keep in mind. You can have your permissions perfectly set and it will still say permission denied. You need to define a writable context for SELinux:
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite -R

Most likely your apache user is not allowed to read or access the web files
Check what user is apache running as:
$ ps aux | grep [a]pache
root 40283 0.0 0.2 472548 21116 ? Ss 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40287 0.0 0.1 472760 8800 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40288 0.0 0.1 472760 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40289 0.0 0.1 472776 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
Check the path ownership of your web files:
$ namei -mol /home/john/app2/
f: /home/john/app2/
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ john john john # <== Ahaa, no access for apache user!
drwxr-xr-x john john john app2
Adjust permissions accordingly:
Well in this step I will leave it up to you, you can either (a) the make apache user 'john' in this example. Or you could (b) move the web folder to a place outside home. Where the execute access can be given to the group or to even others without breaking security good practices.
a. Make apache user john (ONLY FOR DEV SITES or if you know what you are doing)
sudo vi /etc/apache2/envars
# replace
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# with
export APACHE_RUN_USER=john
export APACHE_RUN_GROUP=john
b. Move that folder out of home... what is it doing there anyways?
sudo mv /home/john/app2 /var/www/
Remember to change the site to match this directory and to restart the apache server.
Here are some references:
https://wiki.apache.org/httpd/13PermissionDenied
http://wiki.apache.org/httpd/FileSystemPermissions

Related

Self hosting apache permissions trouble

I am trying to self host a PHP script called sngine. (facebook clone)
When trying to install it I get an error:
config.php - Required includes folder to be writable for the installation
when I run ls -l I get this: drwxrwxrwx 5 mbeck mbeck 4096 Aug 25 23:00 includes
I don't know why it is saying that it's not writable.
The script is in var/www/{domain name}/
I am on Apache/2.4.41 (Ubuntu) and PHP version: 7.4.22
EDIT:
I found someone saying to run chown www-data:www-data <directory> So I did, and permissions now return drwxrwxrwx 5 www-data www-data 4096 Aug 25 23:00 includes and the error is still there.
Ok, I found it!
I had to run sudo chown -R www-data /var/www/example.com/mydomain/includes/
Now it works!

How to reflect host permission in the container docker?

I know that it is impossible to change the permissions of a file shared via volume, because a matter of default, and from what I understand, the permissions of the docker container, reflect the permissions of the host, however, this is not happening in my case, the docker simply changes permissions on all files to 755, and some files must have specific permissions.
HOST:
Docker Container:
Docker File:
FROM ubuntu:18.04
ARG DEBIAN_FRONTEND=noninteractive
#Updating operating system
RUN apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
##Installing essential packages
RUN apt-get -y install apt-utils software-properties-common curl bash-completion vim git supervisor
## Add Scripts
ADD ./start.sh /start.sh
EXPOSE 80
STOPSIGNAL SIGTERM
#CMD ["/start.sh"]
ENTRYPOINT echo $XDEBUG_CONFIG >> /etc/php/7.3/fpm/php.ini && service php7.3-fpm start && nginx -g "daemon off;"
docker-compose.yml
volumes:
- ${DOCUMENT_ROOT-./www}:/usr/share/nginx/html
- ${VHOSTS_DIR-./config/nginx/sites-enabled}:/etc/nginx/sites-enabled
- ${PHP_INI-./config/php/php.ini}:/etc/php/7.3/fpm/conf.d/php.ini
- ${LOG_DIR-./logs/nginx}:/var/log/nginx
Your assumption
I know that it is impossible to change the permissions of a file shared via volume
Is only partially correct, there is actually a set of modes — :ro & :rw – you can use when mounting a volume via docker-compose that are described in the documentation:
Standard modes are ro for read-only and rw for read-write (default).
Source: https://docs.docker.com/compose/compose-file/#short-syntax-3
You can also use the :Z and :z modes if your host uses selinux.
If you use selinux you can add the z or Z options to modify the selinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.
The z option indicates that the bind mount content is shared among multiple containers.
The Z option indicates that the bind mount content is private and unshared.
Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.
Source: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
Here is an example, on my host, here are the permissions of my files:
~ # ls -la ro rw
ro:
total 0
drwxr-xr-x 3 ben staff 96 May 23 23:06 .
drwxr-xr-x 9 ben staff 288 May 23 23:16 ..
-rw-r--r-- 1 ben staff 0 May 23 23:06 file
rw:
total 0
drwxr-xr-x 3 ben staff 96 May 23 23:06 .
drwxr-xr-x 9 ben staff 288 May 23 23:16 ..
-rwxr-xr-x 1 ben staff 0 May 23 23:06 file
Then with this docker-compose.yml
version: '3.8'
services:
test:
image: alpine
volumes:
- ./ro:/root/ro:Z
- ./rw:/root/rw:Z
command: sleep 100000000000
Here is the result on the container
~ # ls -la ro rw
ro:
total 4
drwxr-xr-x 3 root root 96 May 23 21:06 .
drwx------ 1 root root 4096 May 23 21:17 ..
-rw-r--r-- 1 root root 0 May 23 21:06 file
rw:
total 4
drwxr-xr-x 3 root root 96 May 23 21:06 .
drwx------ 1 root root 4096 May 23 21:17 ..
-rwxr-xr-x 1 root root 0 May 23 21:06 file

IOError: [Errno 13] Permission denied on RPI3 [duplicate]

I'm trying to read a file in PHP and I'm getting a permission denied error although everybody has read access to the file.
The PHP code:
$config=file_get_contents('/opt/jenkins/home/config.xml');
The error:
Warning: file_get_contents(/opt/jenkins/home/config.xml): failed to open stream: Permission denied in [...]
The filesystem permission:
There is a symlink pointing /opt/jenkins/home/ to /var/lib/jenkins and everybody has read permission on the symlink, actual folder, and file.
$ ls -lh /opt/jenkins/
lrwxrwxrwx 1 sysadmin sysadmin 16 2011-08-04 08:12 home -> /var/lib/jenkins
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
$ ls -lh /var/lib/jenkins/config.xml
-rwxr-xr-- 1 jenkins adm 3.9K 2011-08-04 10:05 /var/lib/jenkins/config.xml
Apache configuration
Configured to folllow symlinks (Options All). Adding a Directory directive for /var/lib/jenkins/ makes no difference.
<Directory /opt/jenkins/home/>
Options All
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
Additional info
Whether I use the path through the symlink ("/opt/jenkins/home/config.xml") or the real path ("/var/lib/jenkins/config.xml") I have the same problem.
apache2 version=2.2.14-5ubuntu8.4
php version=5.3.2-1ubuntu4.9
Any idea as to why I'm getting the error?
Your directory needs execute permission for this to work. It does not seem to have world execute, and since jenkins is probably not the apache user, and the apache user is not in the adm group, it wouldn't work:
$ ls -lh /var/lib/ | grep jenkins
drwxr-xr-- 6 jenkins adm 4.0K 2011-08-04 10:04 jenkins
Per example:
netcoder#netcoder:~$ mkdir foo
netcoder#netcoder:~$ echo hello > foo/bar
netcoder#netcoder:~$ chmod 777 foo/bar
netcoder#netcoder:~$ ls -lsah foo/bar
4.0K -rwxrwxrwx 1 netcoder netcoder 6 2011-08-04 08:22 foo/bar
netcoder#netcoder:~$ chmod 444 foo/
netcoder#netcoder:~$ ls -lsah | grep foo
4.0K dr--r--r-- 2 netcoder netcoder 4.0K 2011-08-04 08:22 foo
netcoder#netcoder:~$ cat foo/bar
cat: foo/bar: Permission denied
Even though foo/bar has 0777 permission, if the directory does not have the execute permission, reading its contents is denied.
You'll need the permission to be set for both the target directory and the symbolic link.
You need the execute bit set on all directories in the hierarchy up to that file.
chmod o+x /var/lib/jenkins
should do the trick.
(Note: ls -lhd /var/lib/jenkins is a bit better than ls -lh ...|grep jenkins)
Lots of modern boxes (digital ocean, rackspace etc) ship with SELinux (Security Enhanced Linux) for RedHat compatible OSs (like CentOS). This throws another wrench into the works which you need to keep in mind. You can have your permissions perfectly set and it will still say permission denied. You need to define a writable context for SELinux:
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite -R
Most likely your apache user is not allowed to read or access the web files
Check what user is apache running as:
$ ps aux | grep [a]pache
root 40283 0.0 0.2 472548 21116 ? Ss 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40287 0.0 0.1 472760 8800 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40288 0.0 0.1 472760 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
www-data 40289 0.0 0.1 472776 8540 ? S 14:38 0:00 /usr/sbin/apache2 -k start
Check the path ownership of your web files:
$ namei -mol /home/john/app2/
f: /home/john/app2/
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ john john john # <== Ahaa, no access for apache user!
drwxr-xr-x john john john app2
Adjust permissions accordingly:
Well in this step I will leave it up to you, you can either (a) the make apache user 'john' in this example. Or you could (b) move the web folder to a place outside home. Where the execute access can be given to the group or to even others without breaking security good practices.
a. Make apache user john (ONLY FOR DEV SITES or if you know what you are doing)
sudo vi /etc/apache2/envars
# replace
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# with
export APACHE_RUN_USER=john
export APACHE_RUN_GROUP=john
b. Move that folder out of home... what is it doing there anyways?
sudo mv /home/john/app2 /var/www/
Remember to change the site to match this directory and to restart the apache server.
Here are some references:
https://wiki.apache.org/httpd/13PermissionDenied
http://wiki.apache.org/httpd/FileSystemPermissions

HHVM not starting correctly?

After installing everything on Ubuntu Server 16, my testfile shows that HHVM is not started.
At the same time sudo service hhvm status tells me that the status is active (exited) and that it cannot open /var/log/hhvm/error.log
restarting the server gives no errors but i can not get HHVM completely up and running.
The testfile is a simple if/else PHP file in var/www/html like the following.
<?php
if (defined('HHVM_VERSION')) {
echo 'hhvm is working';
} else {
echo 'hhvm is not working' ;
}
?>
Where does this status come from(i already found it might have something to do with the daemon, but i can start the daemon without issues) and how can i fix it?
I already tried the few solutions that i could find, but without succes. :( I am using HHVM with Apache.
edit in response to #hanshendrik
Thanks, your top command shows the first 2 results being equal to the example. then drwxrwxr-x root syslog log and for hhvm: no such file or directory. So i made the hhvm folder and changed the group to www-data. It has drwxr-xr-x rights and the error.log has -rw-rwxr-- rights. However, the problem is not yet solved. It doesn't give the warnings anymore but still says active(exited)and shows that the HHVM fastcgi Daemon started
Edit, partially solved
My testsite still says HHVM is not working though... :(
probably a permission issue, first run sudo su name-of-account-hhvm-is-started-as-here -s /bin/bash (for example, sudo su www-data -s /bin/bash) then run namei -l /var/log/hhvm/error.log, and the point where it fails should be revealed. for example, the output might be
namei -l /var/log/hhvm/error.log
f: /var/log/hhvm/error.log
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root log
drwx------ root www-data hhvm
error.log - No such file or directory
here, because the owner is root, and only the owner has execute permissions on the folder, only the owner (root) can open any files inside it, and the fix would be chmod g+x /var/log/hhvm. or the output might be
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root log
drwx--x--- root www-data hhvm
-rw-r--r-- root www-data error.log
here, owner and group has execute permissions on the folder, but only the owner has write access to error.log, and the fix would be chmod g+w /var/log/hhvm/error.log,... good luck

Php Exec external python script - Permission Denied

I can't run command line script from Exec
$exec = exec($command, $output, $return );
I have tried passthru,shell_exec,system but obviously this is not the problem.
sudo chown -R www-data:www-data /root/path/nonce.py
sudo chmo 775 /path/nonce.py
sudo chmo 777 /path/nonce.py
sudo chmo 755 /path/nonce.py
didn't helped
exec("python -V 2>&1");
works
But
/usr/bin/python /root/path/nonce.py
Array ( [0] => /usr/bin/python: can't open file '/root/path/nonce.py': [Errno 13] Permission denied )
dosent
running on nginx and php5-fpm
You need to consider the permissions for each directory on the path to the Python script. This means:
/root
/root/path
/root/path/nonce.py
The permissions for the root account are naturally restricted. If you look a root's home directory:
$ ls -ld /root
dr-xr-x---. 9 root root 4096 Aug 20 23:50 root
You will see that only the root user, and users within group root, can read or list the contents of /root.
It's a bad idea to place your script in root's home. There are more appropriate places such as /var/www/cgi-bin assuming that your script is a CGI script. On my system:
$ ls -ld /var/www
drwxr-xr-x. 4 root root 4096 Jul 17 17:22 /var/www
$ ls -ld /var/www/cgi-bin
drwxr-xr-x. 2 root root 4096 Jul 17 17:22 /var/www/cgi-bin/
which can be read and listed by any user. You should install the script in a directory appropriate for nginx.
one of the directories on the path probably lacks r permisison for the relevant user - most likely /root
can you move the python script to a dir that is world readable?

Categories