I need some help with priviligies in centos
I have a file in
home/admin/public_html/generate.php
that I want to do some file copy with using php copy function
When I set the file to chown admin:admin generate.php I can access the file but I cannot execute the php copy command because I don't have the proper rights.
When I set the file to root:root generate.php I cant access the file beacuse its under admin user folder home/admin/public_html/generate.php
how do I solve please, thankful for any help.
Bottom line is that I want my generate.php which is owned by admin:admin to be able to copy files from sources outside its home dir and to other home dirs
I am using CENTOS
There are a few things you need to determine to make this work:
The userid of the web server process. It's usually httpd or www-data or apache
Does that user have access to read the file you're copying?
Does that user have access to write to the destination?
Assuming that the web server process is running as httpd, you could run chown httpd destination, where destination refers to the file or directory you're trying to copy into.
To access the file that you're copying, the httpd user needs to be able to access all directories leading to the file, which is controlled by the execute bit (x in the ls -l listing, most likely the last character), as well as have read access to the file itself (r in ls -l)
Related
I want the user to be able to read and edit files in the test folder, these files are always created by a software with read-only properties.
I can't use the chown command manually, so I need a chown command that can work in PHP before the user's read and write commands automatically.
Manual ok:
root#vultr: chown -R nginx /var/www/html/test //run ok, All files in the test folder can be read and written
root#vultr:~# /var/www/html/test/test.sh //run ok, the test.sh file contains the "chown -R nginx command /var/www/html/test"
My php code but not working
shell_exec('./test.sh');
chown('file_webuser', 'nginx');
The chown (change owner) won't work for non-root user. What you really need to do is to grant the user (I assume it's a nginx) full permissions to files.
It can be achieved in few ways. The most secure way is to run PHP (I'm guessing PHP is running as a PHP-FPM) as a nginx user by editing params user and group in your php-fpm.conf file and restarting the PHP service.
In such case, the owner of files will be the same, so no file permission manipulation is needed. You'll need to change ownership of all files generated/uploaded by PHP to nginx once (using root user and chown command).
The second solution is to add the user who's running PHP-FPM to the same group as the nginx user and modify umask so the files are accessible to a group. Let's say that the group would be www-data (you have to add nginx user and the PHP-FPM process owner to that group, for example with usermod command, and edit your php-fpm.conf: set group to www-data). Then in your PHP scripts use umask function to allow all members of group to have full access to files: umask(0007);.
The third, least secure way is to give full access to your files for all users in the system. Use umask function in your PHP file to achieve this: umask(0000);
this is because the root user probably has privileges to manipulate these files created by Nginx or etc.
if PHP is not the owner of that files you can put it on the authorized group that they have desired access to.
Use the exec() in PHP so your code will look like:
exec("chown -R nginx /var/www/html/test");
I have a PHP script which runs in first server and it curls the PHP file which is on the second server.
$service_url = 'http://example.com/version_check.php?f_path='.$path;
On the second server, that PHP file (version_check.php) reads the files in /var/www directory and processes it.
Now I want to know how to access /var/www directory with root privileges.
I need root privileges because I am doing some fwrites in that directory.
If you’re using the default configuration on Ubuntu, you’ll have a user and group named www-data that your web server runs as. If you want to be able to write to a particular file, chown it to www-data:
$ chown www-data:www-data /var/www/my-file
Alternatively, keep the current ownership, change the group, and make it group-writable:
$ chgrp www-data /var/www/my-file
$ chmod g+w /var/www/my-file
As a last resort if you don’t want to change the ownership or group, make it world-writable:
$ chmod a+w /var/www/my-file
But this is a bad idea—any service on your system, good or bad, can modify the file, rather than just your web server. You should avoid it if you can.
you don't. just make the particular files or folders writable by www-data. running your PHP script as root would be a serious security problem. even more so, because I don't expect you to follow any common security guidelines (if you did, you wouldn't want to run your script as root).
Kumaran,
The issue isn't PHP; the issue is the user accessing the files. Your PHP scripts are run by the apache user (www-data or apache, you'd need to check the username your apache's running under). The apache user, by default, can access certain files.
To be able to access files using root privileges, the apache user needs to acquire the rights to do so.
Allowing this to happen is a big security risk. You need to re-think the architecture altogether; why is PHP accessing root files in the first place?
One option is to make the files in question writeable by the apache user
The /root is only readable to root user. Hence you need to first move that Move file to /var/www and change it's permissions so www-data users can read it.
I have a script PHP that to create a folder and some files in this folder. Ok, I can done easily with mkdir in PHP but the folder is owned by www-data it’s weird user or group that I didn't log in. Because that so I can’t modify this folder and files in this folder (delete).
Could someone suggest me how to fix this? Can I create the folder by our current log in user? It’s a public folder for every users (should chmod 775). And this is created folders by PHP script and can have many folder so I dont't want to run sudo chmod all of theses folders every time a new folder is created!
Any folder created by any application running under the http server service will be owned by the user executing such application (or component of the application). That being said, if you're running an Apache HTTP daemon which the child processes owner is the www-data user, any folder created by any php script will be owned by such user.
You'll not be able to chown() any FS entry to other user, since www-data doesn't have permissions to do so. You can change it manually via command line with super user permissions (uid == 0) using the chown command line binary.
This question has been asked a couple of times up here, but I haven't found a solution yet. I have a Fedora 19 LAMP server and I just want to run the simple command: file_put_contents('test.txt', 'Hello there'); in order to confirm that my web server can use PHP to write data to files. I'm having trouble figuring out a proper permissions scheme. To start, just for development, Apache's document root is /var/www/html. This directory was originally owned by a user and group called www-data, but I changed the directory's group to the primary group of the owner of the httpd process, named apache. It is this owner that is active when PHP runs. I've confirmed this with the following:
As you see, the process owner is apache, the current direcory is /var/www/html/php-console. The directory is owned by www-data and members of the group apache have full access to it.
I have tried the following to get PHP to actually create a file in this location, but to no avail:
chmod 777 /var/www/html/php-console
chown apache /var/www/html/php-console
chgrp apache /var/www/html/php-console
cd /var/www/html; > test.txt; chmod 777 test.txt;
Nothing will work while this script is run from the browser. However, when I use file_put_contents with the PHP CLI, it works just like I would expect, provided that the user I'm entering commands as or its group has write permissions to this directory or test file.
So, from the command line, you see how www-data has read, write, and execute permissions to the folder I'm in. posix_getpwuid and posix_geteuid help you to find the owner of the Apache/PHP process, which in this case is the same as the user logged into the console. file_put_contents succesfully writes 8 bytes to the specified file. If I change the group or owner and group to something else, I get Permission denied, which absolutely makes sense.
If this works on the command line, then why not when I really want it to, i.e., while actually serving web pages???
Because you forgot to read the httpd_selinux(8) man page and give the directory the appropriate file context to allow the web server to write files there.
My code gets a permission denied error at the move_uploaded_file() function when I'm trying to save a file into a folder on my server (from the temp folder).
My user has full permissions across all the website directories and files. Is there an apache user that need permissions as well? How do I give permissions to this apache user?
If that isn't the case. Is there a way I can use the php chmod function to fix this problem?
Thanks for the help!
You are correct. The folder you need to move the file to doesn't need you to have permissions, it needs for the web server to have permissions.
Basically you need to figure out what account your web server is running as and give that user write permissions to the destination directory.
To figure out what your web server account name is, try the following command (assuming you're running Linux):
sudo lsof -i tcp:80
You should get back a bunch of lines with a USER column. One will be root, ignore that one. The other user listed is the user under which your web server is running. It's probably something like www or www-data or apache or the like.
After that, navigate to the parent directory of your upload directory and change it's ownership and permissions with the following command:
sudo chown www-data:www-data uploads
sudo chmod u+w uploads
At that point, your webserver user now has access to write to your uploads directory. If you have any trouble, post a comment and I'll try to help out.
I assume you gave the folder 777 permissions? The folder needs those permission.