I'm trying to create XML sitemaps for my website from my PHP application. The idea is to either create a new file or overwrite an existing file. When I call fopen, I get the following error:
[function.fopen]: failed to open stream: Permission denied
I'm trying to write to the webroot and its permissions are: 755. This means that the owner has write permission, right? What do I need to do to make my script be able to write to this folder? 777 would be a bad thing, right? Can I run my script as owner somehow?
Thanks.
Yep, as you've said, using 777 could be huge mistake. The webserver doesn't run with the same user as you use to create files and folders.
You have some options:
Run the sitemap creation as a cronjob, using an user with rights to write there, other than the apache user.
Put the sitemap in another directory, and the set up a 302 Redirect or a symlink. In this case, if you have a security issue that let's someone to write your sitemap.xml, at least they'll not be able to create another file with a more dangerous extensions (like PHP, which may result in a site intrusion).
Make a rewrite rule to redirect any hit to sitemap.xml, to a php script that outputs the appropriate XML.
Good luck!
I'm a beginner and I had this problem as well. I am using Ubuntu linux w/ php and apache
Write a php script w/ the following: <?php exec('whoami'); ?> and run it on your server. This tells you who the current user of the script is
SSH to your server.
Make a group that has read and write access to the files you need.
Make group have read, write, and execute on folders you need.
Make the current user you found in the first step, part of the group that has access to the files you need.
Restart Apache: sudo apachectl restart
main commands you need are:
groupadd: Create a new group
usermod: add your user to a new group
chgrp: changes files / folders to group you specify
chmod: changes permissions on the files / folders you specify.
All the commands you need are here: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
If you have ACL enabled on the webroot partition just grant the web server username full rights
setfacl -m u:apache:rwx /var/www/html
Replace apache with the web server username and /var/www/html with your webroot location.
had the same problem
Looks like apache is running as nobody in the nobody group
so if you do a
useradd -G nobody youruser
chown -R youruser:nobody .
Then change the permission to 0775
chmod -R 0775 .
or you may add nobody to your usergroup
useradd -G nobody yourgroup
this be a better solution
Does it work with group write enabled (i.e. 775)?
Check your group permissions for the directory the file is in. As long as your PHP user (usually www-data) is part of that group, and it's the only user, you should be fine with 775 (or even 774).
Like Pascal said!
just find your apache user
<?php exec'whoami'; ?>
and then
useradd -G username username2
chown -R username:username2 .
chmod -R 0775 .
And its done!
Thank you Pascal!
777 is pretty normal, because PHP does not run as you, it runs as a PHP user, Apache, etc. The fact is, your webhost should have a higher set of permissions that prevents other users from writing/deleting your files.
Related
I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
I'm trying to use PHP to create a file, but it isn't working. I am assuming this is because it doesn't have write access (it's always been the problem before). I tried to test if this was the problem by making the folder chmod 0777, but that just ended up making every script in that directory return a 500 error message until I changed it back.
How do I give PHP write access to my file system so it can a create a file?
Edit: It is hosted on Hostgator shared hosting using Apache.
Edit 2: Someone asked for the code:
The code is a GD image script. I know the rest of it works as previously I was creating the image every ime it was called. Now I am trying to create them when new text is added and save them to a folder. The write line I have is:
imagejpeg(null,$file,85);
I also created a test file to check if it was just a broken script (mainly copied from tizag):
http://gearboxshow.info/rkr/lesig.jpg/testfile.txt (I don't know if/how to post the code here properly. Here is the contents of the PHP script, minus PHP tags.)
It returns 13,13,1 (separate lines), so it looks as if it thinks it wrote something, but the testfile.txt is blank (I uploaded a blank one), or non-existent (if I delete it).
Edit 3: The server runs CentOS.
An easy way is to let PHP create the directory itself in the first place.
<?php
$dir = 'myDir';
// create new directory with 744 permissions if it does not exist yet
// owner will be the user/group the PHP script is run under
if ( !file_exists($dir) ) {
mkdir ($dir, 0744);
}
file_put_contents ($dir.'/test.txt', 'Hello File');
This saves you the hassle with permissions.
Simple 3-Step Solution
Abstract: You need to set the owner of the directory to the user that PHP uses (web server user).
Step 1: Determine PHP User
Create a PHP file containing the following:
<?php echo `whoami`; ?>
Upload it to your web server. The output should be similar to the following:
www-data
Therefore, the PHP user is www-data.
Step 2: Determine Owner of Directory
Next, check the details of the web directory via the command line:
ls -dl /var/www/example.com/public_html/example-folder
The result should be similar to the following:
drwxrwxr-x 2 exampleuser1 exampleuser2 4096 Mar 29 16:34 example-folder
Therefore, the owner of the directory is exampleuser1.
Step 3: Change Directory Owner to PHP User
Afterwards, change the owner of the web directory to the PHP user:
sudo chown -R www-data /var/www/example.com/public_html/example-folder
Verify that the owner of the web directory has been changed:
ls -dl /var/www/example.com/public_html/example-folder
The result should be similar to the following:
drwxrwxr-x 2 www-data exampleuser2 4096 Mar 29 16:34 example-folder
Therefore, the owner of example-folder has successfully been changed to the PHP user: www-data.
Done! PHP should now be able to write to the directory.
Set the owner of the directory to the user running apache. Often nobody on linux
chown nobody:nobody <dirname>
This way your folder will not be world writable, but still writable for apache :)
1st Figure out which user is owning httpd process using the following command
ps aux | grep httpd
you will get a several line response like this:
phpuser 17121 0.0 0.2 414060 7928 ? SN 03:49 0:00 /usr/sbin/httpd
Here 1st column shows the user name. So now you know the user who is trying to write files, which is in this case phpuser
You can now go ahead and set the permission for directory where your php script is trying to write something:
sudo chown phpuser:phpuser PhpCanWriteHere
sudo chmod 755 PhpCanWriteHere
You can change the permissions of a folder with PHP's chmod(). More information on how to use the command is here: http://php.net/manual/en/function.chmod.php
If you get a 500 Error when setting the permissions to 777 (world writable), then it means your server is setup to prevent executing such files. This is done for security reasons. In that case, you will want to use 755 as the highest permissions on a file.
If there is an error_log file that is generated in the folder where you are executing the PHP document, you will want to view the last few entries. This will give you an idea where the script is failing.
For help with PHP file manipulation, I use http://www.tizag.com/phpT/filewrite.php as a resource.
I found out that with HostGator you have to set files to CMOD 644 and Folders to 755. Since I did this based on their tech support it works with HostGator
I had the same problem:
As I was reluctant to give 0777 to my php directory, I create a tmp directory with rights 0777, where I create the files I need to write to.
My php directory continue to be protected. If somebody hackes the tmp directory, the site continue to work as usual.
You can set selinux to permissive in order to analyze.
# setenforce 0
Selinux will log but permit acesses. So you can check the /var/log/audit/audit.log for details. Maybe you will need change selinux context. Fot this, you will use chcon command. If you need, show us your audit.log to more detailed answer.
Don't forget to enable selinux after you solved the problem. It better keep selinux enforced.
# setenforce 1
Best way in giving write access to a directory..
$dst = "path/to/directory";
mkdir($dst);
chown($dst, "ownername");
chgrp($dst, "groupname");
exec ("find ".$dst." -type d -exec chmod 0777 {} +");
chmod does not allow you to set ownership of a file. To set the ownership of the file you must use the chown command.
I'm running Ubuntu, and as said above nobody:nobody does not work on Ubuntu. You get the error:
chown: invalid group: 'nobody:nobody'
Instead you should use the 'nogroup', like:
chown nobody:nogroup <dirname>
Tiny little hint!
echo whoami;
make sure you use BACK QUOTES
NOT
single quotes ' '
!
(of course now the back quotes don't show up in this editor! oh well, I tried!)
So I have a PHP file located in /var/www/html/test.php and I have it run the code shell_exec('touch /home/pi/Desktop/test_file')
However, the webpage displays fine but when I check the apache log files, I always get permission denied. I understand that apache is running as www-data user and my main user pi probably have some permission clash (I'm new to this stuff).
I tried many options I found on-line, the most promising was here, which suggested I run the commands:
sudo chown -R pi:www-data /home/pi/Desktop
sudo chmod -R g+s /home/pi/Desktop
...but I still get permission denied. Can anyone please suggest what permissions I may need to still configure? I want to ensure security, but at the same time need my PHP file to be able to create new files. I used the Desktop as an example directory, but really I don't care which directory, I just need a directory. I tried touching a file within /var/www/html, but that was permission denied as well. Thanks!
if your apache process is running as www-data, and the file ownership is pi:www-data, you probably need to run this chmod:
sudo chmod -R g+w /home/pi/Dekstop
First, setting the group as www-data won't matter if the files are not group writable. Mode 755 will ensure apache can read the files, but the www-data user would still not be able to write.
Secondly, using "g+w" adds group write without messing with any of the other bits. [644 becomes 664, and 755 becomes 775)]. This way you can safely adjust permissions recursively, without making files executable that shouldn't be.
Incidentally, sudo chmod g+s ... is probably not what you want. That will instead set the sgid bit, and not the group write bit.
First of all, why the heck are you using shell_exec to create a file? PHP has it's own touch() function that will do that for you. You can also create files just by opening a nonexistent file using certain modes (ie, fopen("myfile", "w"))
Using exec to create your files is surely messing with your permissions.
You need to find out which user PHP is running as and chown to that user. You can find that out by running get_current_user().
Then you need to change the permissions with chmod. There's an example in the comments so I won't repeat it. Good luck. Stop using shell_exec.
I am using nginx with an install of Wordpress; I was trying to come up with a way to store user uploads beyond the web root and use a php script to serve them when needed.
I am positive I will need to log in as root on the server to accomplish the right settings; but I do not know the right way to set permissions for nginx to allow a php script to write to the folder and access it's contents.
My path to the web root looks like this:
/var/www/vhosts/mydomain.com/httpdocs
So I wanted to create a folder here ( I am guessing ):
/var/www/vhosts/mydomain.com/new_folder
I have not logged in to the server as the root user before, but I have found a few lines of commands that may be relevant. I do not know which applies to my situation.
mkdir /var/www/vhosts/mydomain.com/new_folder
chmod 755 /var/www/vhosts/mydomain.com/new_folder
Will this work for a server running nginx? or do I need something like this?
mkdir -p /var/www/vhosts/mydomain.com/new_folder
sudo chmod -R 0755 /var/www/vhosts/mydomain.com/new_folder
I think that the sudo command deals with permission on folders that were supposed to only be accessed by the root user.
I am having a hard time researching this as I do not understand which context to use these commands. I still do not know how to set the permission of a folder so a php script can read and write to that directory.
I could really use a nudge in the right direction, as I am terrified in trying to just start blindly entering commands on the server logged in as root.
I'm not a nginx expert, I'm used to apache, but my guess is all you need to do is make sure the user that nginx is running under has write permission to a folder. In order for this command to word:
mkdir /var/www/vhosts/mydomain.com/new_folder
You need to make sure you are logged in as a user that has write access to /var/www/vhosts/mydomain.com/. If your normal user doesn't have the permission that is where sudo comes in. sudo basically means run this command as root. It should also ask you for your root password when this is done. You can add sudo in front of any of the commands listed above or below if you don't have sufficient permission to do something.
This command is creating a new directory/folder mkdir = make directory. This command:
chmod 755 /var/www/vhosts/mydomain.com/new_folder
Is changing the permissions on that folder you just created. You can do some research and see what 755 stands for. More importantly though you will probably need to use the chown command to give ownership of the directory to the nginx user. As I said I'm not a nginx user so I don't know what the standard username is, but for apache it would look something like this:
chown www-data:www-data /var/www/vhosts/mydomain.com/new_folder
I'm trying to use PHP to create a file, but it isn't working. I am assuming this is because it doesn't have write access (it's always been the problem before). I tried to test if this was the problem by making the folder chmod 0777, but that just ended up making every script in that directory return a 500 error message until I changed it back.
How do I give PHP write access to my file system so it can a create a file?
Edit: It is hosted on Hostgator shared hosting using Apache.
Edit 2: Someone asked for the code:
The code is a GD image script. I know the rest of it works as previously I was creating the image every ime it was called. Now I am trying to create them when new text is added and save them to a folder. The write line I have is:
imagejpeg(null,$file,85);
I also created a test file to check if it was just a broken script (mainly copied from tizag):
http://gearboxshow.info/rkr/lesig.jpg/testfile.txt (I don't know if/how to post the code here properly. Here is the contents of the PHP script, minus PHP tags.)
It returns 13,13,1 (separate lines), so it looks as if it thinks it wrote something, but the testfile.txt is blank (I uploaded a blank one), or non-existent (if I delete it).
Edit 3: The server runs CentOS.
An easy way is to let PHP create the directory itself in the first place.
<?php
$dir = 'myDir';
// create new directory with 744 permissions if it does not exist yet
// owner will be the user/group the PHP script is run under
if ( !file_exists($dir) ) {
mkdir ($dir, 0744);
}
file_put_contents ($dir.'/test.txt', 'Hello File');
This saves you the hassle with permissions.
Simple 3-Step Solution
Abstract: You need to set the owner of the directory to the user that PHP uses (web server user).
Step 1: Determine PHP User
Create a PHP file containing the following:
<?php echo `whoami`; ?>
Upload it to your web server. The output should be similar to the following:
www-data
Therefore, the PHP user is www-data.
Step 2: Determine Owner of Directory
Next, check the details of the web directory via the command line:
ls -dl /var/www/example.com/public_html/example-folder
The result should be similar to the following:
drwxrwxr-x 2 exampleuser1 exampleuser2 4096 Mar 29 16:34 example-folder
Therefore, the owner of the directory is exampleuser1.
Step 3: Change Directory Owner to PHP User
Afterwards, change the owner of the web directory to the PHP user:
sudo chown -R www-data /var/www/example.com/public_html/example-folder
Verify that the owner of the web directory has been changed:
ls -dl /var/www/example.com/public_html/example-folder
The result should be similar to the following:
drwxrwxr-x 2 www-data exampleuser2 4096 Mar 29 16:34 example-folder
Therefore, the owner of example-folder has successfully been changed to the PHP user: www-data.
Done! PHP should now be able to write to the directory.
Set the owner of the directory to the user running apache. Often nobody on linux
chown nobody:nobody <dirname>
This way your folder will not be world writable, but still writable for apache :)
1st Figure out which user is owning httpd process using the following command
ps aux | grep httpd
you will get a several line response like this:
phpuser 17121 0.0 0.2 414060 7928 ? SN 03:49 0:00 /usr/sbin/httpd
Here 1st column shows the user name. So now you know the user who is trying to write files, which is in this case phpuser
You can now go ahead and set the permission for directory where your php script is trying to write something:
sudo chown phpuser:phpuser PhpCanWriteHere
sudo chmod 755 PhpCanWriteHere
You can change the permissions of a folder with PHP's chmod(). More information on how to use the command is here: http://php.net/manual/en/function.chmod.php
If you get a 500 Error when setting the permissions to 777 (world writable), then it means your server is setup to prevent executing such files. This is done for security reasons. In that case, you will want to use 755 as the highest permissions on a file.
If there is an error_log file that is generated in the folder where you are executing the PHP document, you will want to view the last few entries. This will give you an idea where the script is failing.
For help with PHP file manipulation, I use http://www.tizag.com/phpT/filewrite.php as a resource.
I found out that with HostGator you have to set files to CMOD 644 and Folders to 755. Since I did this based on their tech support it works with HostGator
I had the same problem:
As I was reluctant to give 0777 to my php directory, I create a tmp directory with rights 0777, where I create the files I need to write to.
My php directory continue to be protected. If somebody hackes the tmp directory, the site continue to work as usual.
You can set selinux to permissive in order to analyze.
# setenforce 0
Selinux will log but permit acesses. So you can check the /var/log/audit/audit.log for details. Maybe you will need change selinux context. Fot this, you will use chcon command. If you need, show us your audit.log to more detailed answer.
Don't forget to enable selinux after you solved the problem. It better keep selinux enforced.
# setenforce 1
Best way in giving write access to a directory..
$dst = "path/to/directory";
mkdir($dst);
chown($dst, "ownername");
chgrp($dst, "groupname");
exec ("find ".$dst." -type d -exec chmod 0777 {} +");
chmod does not allow you to set ownership of a file. To set the ownership of the file you must use the chown command.
I'm running Ubuntu, and as said above nobody:nobody does not work on Ubuntu. You get the error:
chown: invalid group: 'nobody:nobody'
Instead you should use the 'nogroup', like:
chown nobody:nogroup <dirname>
Tiny little hint!
echo whoami;
make sure you use BACK QUOTES
NOT
single quotes ' '
!
(of course now the back quotes don't show up in this editor! oh well, I tried!)