I'm doing some analysis on user keystroke patterns for a biometrics-related prototype that I'm building. I'm having an issue where I pass variables via POST to another webpage, and that webpage calls a script that writes to the local server in a directory based on the data that's passed to it.
My prototype is simple: the user types some data into a text form, the keystrokes are collected, the user clicks submit at the end of the task, and that data is sent off to the server to be analyzed. However, PHP refuses to write to the directory specified via the web. If I go into the command-line PHP, it works. I even tried changing POST to GET in insertData, and passing in the data manually.
Here are a few things I think could be wrong:
My AJAX is wrong. It worked locally, but doesn't work on the web. However, I could have inadvertently changed something, and that's the source of this issue.
My file permissions for apache are incorrect. It's odd, though, because Apache owns the folder/file in question. SELinux is disabled, so that's one thing off of the list. I even tried chmod 777 on the folders in question, to no avail.
There's a directive in httpd.conf that I'm missing, and apache is just not allowing web writes.
Server information:
CentOS 5
Apache2.2
PHP 5.3.6
Here is the source code for clarification. Assume all site names et al are correct.
http://jyaworski.pastebin.us/2799
GatherData.php
http://jyaworski.pastebin.us/2800
GatherData.js
htt://jyaworski.pastebin.us/2801 //sorry. SO won't let newbies post more than 2 links. Add a "p" to http
InsertData.php
Thank you in advance; this issue has been plaguing me for some time.
Apache probably doesn't have write permissions on ".". Try putting it in /tmp and see if that fixes your problem. If so leave it there or add write permissions for apache in the directory you're trying to save the data to.
$dir = '/tmp/userdata/'.$id.'/';
Related
I know this is a security threat and is bad from a security aspect alltogether, but for a specific reason, i need this to work. I have a program running on Ubuntu 16.04. Let's say for this example, that it's a DNS server or whatever.
What i'm trying to do, is edit the DNS server configuration file, located in /etc/xxx from a web page, which is using PHP fopen, fwrite and fclose. Because you can't access a file directly located in /etc/xxx/somecfg.cfg anyways, since it doesn't have www-data permissions, i've tried linking it to /var/www/html, both soft and hard linking it. When i create a hard link, it changes the original cfg file too if i edit it by hand, but as soon as i edit it via PHP, only the hard-link file changes, but not the original file.
I've been trying to fix this during the weekend but i can't seem to be able to do it.
Does anyone have an idea on how i would go about fixing this? I'm open to other ideas too. The main goal is to edit a package configuration file from within a web page.
TL;DR: I'm trying to edit a config file in /etc/xxx from /var/www/html/someaction.php and doing it directly doesn't work (obviously), but hard links and soft links are acting weird - the links' content changes, but the original cfg file doesn't.
Thanks!
The issue was that i accidentally put unlink at the beginning of the code and the hard link was deleted, so i basically made a new file each time i wrote to it.
It's fixed now.
I'm trying to get a file's content into a variable but I don't get anything when I read the file. I used both methods JFile::read() and file_get_contents() but both return the same thing: a blank string, not an error , not any boolean values or anything.
I want to mention that I'm working on a Linux machine (just for 2 days) and recently I changed the permissions for the entire machine to 777 ( I don't know if this affects something or not).
Is the a connection between my OS, permissions and the php's file_get_contents()? or Joomla restricts file reading?
Also I want to mention that my file_get_contents() function was added manually by me in the index.php file , also the file I want to read was manually added in the same folder with index.php.
We had the same problem with one of our clients, it turned out it was a firewall issue. It was very hard to debug this issue. I suggest you check with your networking team.
I am assuming, of course, that you have set the PHP error reporting level to the maximum and that you have checked the error logs.
It seemed the problem was from my system . I messed it up when I changed the permissions so I have to re-install it.
Never change the permissions on a Linux for the entire file system.
I'm having a problem with a PHP website running on IIS 7 on Windows Server 2008.
There is one line of code calling mkdir which is erroring and the error log reads:
"... permission denied ..."
I have ruled out anything to do with folder permissions (I have tried multiple groups: Everyone, Users, IUSR, Network Service etc. with no luck).
I need to know how mkdir works, does it check the read-only attribute of the parent folder?
If so, then this could be the root of the problem as all folders in Windows Server 2008 are marked as "Read Only" and the checkbox is greyed-out - Microsoft say it is "by design" but I think it is really "bad design".
Please help.
P.S. The line of code which errors can be found here https://github.com/LimeSurvey/LimeSurvey/blob/070d255ba381d7abcd231d7c9e0c7d11f5578c97/admin/templates.php#L1182 it is line 1182.
SOLUTION:
It was a permissions issue after all!
We were applying permissions to the wrong folder (smacks hand to forehead)
There are two "Templates" folders: /Templates and /Uploads/Templates
/Template is for default templates whereas /Uploads/Templates is for user-created ones
We gave the "Users" group r/w/execute/modify permissions to /Uploads/Templates folder
Whereas previously we were applying permissions to /Templates
To debug this I used echo to output the $target value
LESSONS LEARNT:
Always read the error message - it said "permission denied" and I didn't believe it
Don't assume the obvious to be true - /Templates wasn't the right folder
If the code is erroring then debug the code and don't try to guess the problem
Debug the code using simple techniques such as outputting variable values - e.g. echo
Listen to the majority - most people here were right in saying IT IS A PERMISSIONS ISSUE!
Most errors have a simple fix - don't go looking for something complex
Bounty awarded to #BOMEz because of the useful quote from mkdir() documentation which indicated that I should double-think the permissions. #BOMEz also provided a tailored answer and interacted with me via comments which helped.
As a test (preferably in a development environment) give the IIS user full access to the parent folder. If this makes it work, slowly start taking away privileges to see which ones you need.
Try changing:
if(mkdir($target,0777))
to:
if(mkdir($target))
Windows ignores the mode option. Might be some weird bug causing it to fail.
Additionally for your $target variable could you try forcing it to link to the full Windows path? Such as C:\Program Files\ IIS\...
I've ran into situations with windows before where access was denied attempting to use a relative path, but the full path works just fine.
EDIT:
Looking at the comments on the documentation for mkdir() one commenter mentions that you might also need to add execute permissions to the user:
If you're getting a Permission Denied error, but are certain the
permissions and ownership where you are trying to create the directory
are correct, check again:
The location where you are trying to create the directory in must have
the Execute permission for the owner trying to create it, regardless
of if the folder is Readable, or Writable.
This may be obvious to some, but was not to me at first. Hopefully
this will save you the trouble I went through.
Since you didn't mention a control panel of any sort I'm going to assume you have access to the server either physical or remote desktop. I'm also going to assume you checked your php.ini settings.
That being said, there is a work around for some of these permission problems.
You will need to create an administrator account (and add it to the administrators group) for this site to use or simply use your administrator credentials.
Open the IIS manager
Expand Sites
Highlight the site in question
On the right side of the screen click 'Basic Settings', a dialog box should pop up.
Click the button at the bottom that says 'Connect as...'
Select 'Specific user' and then click the 'Set...' button
Type the user name and password of either your account or the account you created.
Hit 'Ok' button 3 times.
This is a bit of a sledge hammer fix since it will grant full unrestricted access to the file system from your scripts.
If you created a new user and you want to maintain some level of script security then you can try pulling the user out of the administrators group and then giving it full permissions on only that site with the following:
Highlight site
Right-Click, Edit Permissions
Security Tab
Click 'Edit' button
Click 'Add' button
Click 'Advanced' then 'Find Now'
Double click on the user you created
Click 'Ok'
Highlight your user, tick the box under allow that is next to full control
click 'Ok' twice
If asked, select that you want to apply to all directories and files.
~
If your still having issues then there is a good chance your php setup is configured incorrectly or corrupt. (Safe mode turned on maybe?)
Following is the explanation of permissions.
Read
On a File: this means reading content of the files
On a Directory: it means viewing the contents of the directory, namely, being able to use ls or dir
Write
On a File: this means being able to edit content of the files
On a Directory: it means being able to create/modify content of the directory, namely making new files or folders in that directory.
Execute
On a File: this means executing the code from the file (for scripts/executables)
On a Directory: it means, entering the directory. You can not cd into that directory without this permission.
--
So, now that makes it clear the answer to your problem (as you guessed correctly), for making new directory or writing new files into the directory you need write permission on that directory. So for making folders into say C:/your_folder/ you need, write and execute permissions on that folder. (Yes you need execute too, as apparently for mkdir you need to go inside the folder first.)
One of the issues that we run into quite often is that files have been moved from any location to the websites location, maintaining the original permissions instead of inheriting the permission needed by the application pool user of the pool that's beeing used by the website.
So one good thing to try would be to right click your document root folder, go to properties and then the security tab. Press the advanced button, check the checkbox a "Replace permission entries on all child objects with entries shown here that apply to child objects". That way you can atleast be sure all your permissions are set on all subfolders and files.
We nerver had any problems with the read only attribute, even though this is checked for all our folders. (grayed out/checked). So i doubt that is your problemen.
Is it posible,
to modify or edit txt file,
if the file's permission is set as 606 ,
via WEB browser ,
by normal users ?
I mean I make a txt file named "1.txt"
The first original contents of the txt file is "PAX is great man"
and then ,I upload this file to server.
I set the permission of the file as 606.
so the general users can now modify the file.
so anyone become to be able to edit that file
into "PAX eat camel meat" ?
or can not?
If your webserver does not support the PUT or DELETE command (and most webservers don't by default) and you don't provide a script where any user can edit your files from the outside, I see no way a remote user could edit your file. W3.org. Just a short additional note: If only the webserver and a browser are involved in this case, you could even change the rights of this file to 777 and no one should be able to edit your file.
This entirely depends on your webserver, certainly anyone on the local system (who isn't in the group) can write to the file.
'606' means read AND write permissions for the user creating the file and for others. So in effect in enables anyone to edit the file if they are on the same system. Whether they can do it via the Web browser depends on the webserver and its configuration.
Why don't you just set the permissions on it to 604? That way, the file can only be edited by you, even locally!
Jonathan,
Can you please provide more details of your question? By "modifying the file", this could mean too many possibilities. To talk about security and permissions, you have to determine in what way your files are accessed first. By the way you asked your question, I am going to make these assumptions:
(A) You do not own your server.
You cannot make system-wide configuration changes to your server.
(B) Other people can login to use this server.
(This means having access to a command prompt of this server.)
You do not trust these people and do not want them to modify your files.
(C) Your web server is either Apache or Microsoft IIS.
.
By "modifying the file", there are some possibilities:
(1) When you visit the URL, it shows the original content of the file and a "Modify" button.
If you click the "Modify" button, the original content will be shown in a text area and a "Save" button comes out.
After you finish editing, you click "Save" to save the changes.
(2) There is NO editing interface.
The interface is like a "file manager".
You just upload another file with the same name to overwrite / replace the original file.
.
If what you want is (1) above, you have to write a server-side script (eg. PHP, ASP, etc.) (Of course you can use server-side scripts written by other people too!). Make sure your server does support the language (+ dependent libraries) you choose.
If what you want is (2) above, there are many ways to achieve, but I'm afraid a server configuration change must be done:
(1) You can add an FTP server to your server (if you can). Then using Firefox with the FireFTP plugin (or using Internet Explorer, if that is your choice), you can upload / download the file.
(2) You can add / enable the WebDAV module to your web server. Adding "WebDAV" function allows files to be opened / uploaded via HTTP. Microsoft call this "web folder". Linux and Apple call this "WebDAV" (the original name). There shouldn't be a problem to upload your files with Windows Explorer (Windows) / nautilus (Linux - Gnome) / Finder (Max OS X), even they are not browsers.
.
Please provide more information to your question.
Kenji
I've got a really annoying problem with file uploads.
Users can choose a file in an html file field. When they submit the form, this file will be uploaded.
On the serverside I just use standard PHP code (move_uploaded_file). I do nothing weird.
Everything works perfectly.
I can see the file on the server, I can download it again, ...
However sometimes this doesn't work. I upload the file, process it and I get no errors.
But the file just doesn't exist on the server.
Each time I upload that specific file I get no errors but it never gets saved.
Only if I rename it (test.file to tst.file for example) I can upload it and it'll actually get saved.
I get this problem very rarely. And renaming always works. But I can't ask users to rename their files obviously...
I have no access to the apache tmp file directory, no access to logs or settings so this makes debugging even harder. I only have this problem on this particular server (which I don't manage; I don't even have access to it) and I use the exact same code on lots of servers that don't have this problem.
I would be grateful if someone could help me out here or point me in the right direction.
Trying adding this debug code:
echo '<pre>';
print_r($_FILES);
echo '</pre>';
You should see an error number. You can lookup what it means at http://uk3.php.net/manual/en/features.file-upload.errors.php
Might also be worth checking to make sure the destination file doesn't already exist.
My first thought was filesize issues. In the php.ini, if the post_max_size or upload_max_filesize are too small, you can end up with similar results - where the file just seems to disappear. You would get an error in the apache logs (which you mention you've no access to).
In those cases, the $_FILES array would simply be empty - as if the file never arrived. Since your responses to Gumbo and James Hall show that php is reporting a proper upload, I'm led to wonder about the processing you mention.
If, during the process, your memory gets maxed or the script runs too long, the script may be dying out before it gets a chance to move it. You'll want to check these:
memory_limit
max_execution_time
max_input_time
Otherwise, without the apache logs, I'd say it might be a good idea to start outputting to a log file of your own throughout your file processing script. Try a file_exists on the tmp file, see what info you can get from the file (permissions, etc).
Unfortunately PHP doesn't get involved until the upload is finished, which means you won't get much info during - only after the fact. You best option might be to talk to the hosting company and get access to the logs - even if for a short time. In my experience, I've rarely had trouble getting ot the logs - or at least getting a tech to check the logs for me while I run tests (in the case where a shared server doesn't split their logs - seems ridiculous, but I've seen it before).
Edit: I realize you can't change those php settings, but you might want to see what they are in order to find out if they're potential problems for your script. For instance, a low memory limit will kill your processor script if it's less than the size of the uploaded file.
If an upload failes you don’t get the same kind of error like a PHP syntax error or such.
But you can check the file upload status and report the error to the user yourself.
This is what you said...
"I have no access to the apache tmp file directory, no access to logs or settings so this makes debugging even harder. I only have this problem on this particular server (which I don't manage; I don't even have access to it) and I use the exact same code on lots of servers that don't have this problem."
According to what you said above, I assume that you are using a server that is shared among many users. If the Apache of this server is configured with something like "mod_suphp", then your PHP scripts will be executed using the privileges of your UNIX user account ("jef1234", for example), which means the files you create will have you ("jef1234") as the owner (instead of "apache" or "www-data").
The system's temporary directory (usually "/tmp") is usually configured with the "sticky bit" on. This means everyone can create files in this directory, but the created files are only accessible by the owner (you may treat this as the one who created it).
As a result, if the server configuration is not careful enough, you may have file naming collisions with other users' files. For example, when you upload "test.file", if another user has already uploaded another file with the same name, the system refuses to overwrite the file created by him, as thus you have to use another name.
Usually the problem does not exist because PHP is smart enough to generate temporary names for the uploaded file (ie. $_FILES["html_form_input_name"]["tmp_name"]). If somehow you can confirm that this is really the reason, the server is obviously mis-configured. Tell your system administrator the problem as ask him to solve it. If this could not be solved, you may do some JavaScript tricks on the name of the file before it is uploaded (not tested, just an idea)...
★ When the user submits the form, rename the file from, for example, "test.file" to "jef1234-test.file-jef1234". After the file is uploaded, move the file (ie move_uploaded_file()) to another place and rename it to the original filename by removing the added strings.
Hope this helps...
Asuka Kenji