PHP script uploads archives on the web server and unzip them. Under some conditions I need to delete previously unzipped files. But apache can not delete the files because it get "Access denied" error despite of it has all the necessary permissions. I tried to delete them as 'apache' user manually and got the same error.
For example:
# ls -l
....
-rw-r--r--. 1 apache apache 46 янв 26 11:11 desktop.ini
# sudo -u apache rm desktop.ini
rm: невозможно удалить «desktop.ini»: Отказано в доступе
^^^ It means Access Denied
I can delete the files as 'root' user.
I thought that it can be by selinux restrictions. But selinux works in permissive mode:
# getenforce
Permissive
make sure that the apache service is indeed running as username 'apache' as it is typically running as username 'www-data' however I am sure you most likely have checked this already.
the user 'apache' only has write/read permissions in your above post
however to delete a file you need write/execute permissions
give the user execute permissions
Related
I'm trying to upgrade postgresql database from 9.1 to 9.4. I ran the 9.4 version of pg_upgrade as follows:
sudo -u postgres pg_upgrade -b <path>/postgres/9.1/bin -B <path>/postgres/9.4/bin -d <path>/9.1DBs/ -D <path>/<empty folder>
I get:
check failed for: <path>/postgres/9.1/bin Permission denied
The folder exists, I set the permissions to 777, even gave the postgres user ownership of the directory structure, but I'm still getting the same error.
Running in verbose mode does not provide any extra info.
The partition with that contains the old binaries is mounted under /media/ and I have read/write access.
Any ideas what could be causing this?
This error
check failed for: /postgres/9.1/bin Permission denied
happens because access permission on directories (x bit) need to be set in every directory in the hierarchy, from the root to the directory containing these executables files.
This is detailed at Unix.SE in:
Do the parent directory's permissions matter when accessing a subdirectory?
I've downloaded 2.0.4... I can't get pass the "can't create cache directory" cause of permissions problem...
I've tried chmod 777 -R symfony
-- to all folders, still can't create cache dir
I've tried setfacl but it says unrecognized -m option....
My system does not support chmod +a
I've done chown -R myuser:apache symfony
-- still nothing
I've tried umask(0000) and umask(0002) in console.php/app_dev.php/app.php
-- still nothing
When I refresh the page to http://localhost/symfony/web/app_dev.php, I get a SElinux alert... is this causing something? I'm not sure... all symfony content is word writable.
I'm not sure if it's me... but it's driving me nuts, maybe I just should stop using symfony2.
I'm using Fedora 13.
It seems that you will need to switch SELinux to Permissive state. You can do so executing as root user:
setenforce 0
PHP's umask may have no effect when default apache umask is different.
Originally I used to use setfact, but this adds overhead for deployment.
What worked for me on ubuntu servers is:
Set default apache umask.
Edit /etc/apache2/envvars and add this line in the end of file:
umask 0002
Reload apache service
Add your deploy user to www-data group, add www-data to your deploy user group.
adduser www-data `whoami`
adduser `whoami` www-data
Logout or restart server for this to take effect.
Remove app/cache, app/logs dirs
Try to load page in browser, notice how app/cache dir is created by www-data user and has write group permission. Try to clear cache in console and verify that no errors occurred.
Remove app/cache, app/logs dirs
Run cache:clear, notice how app/cache dir is created by user deploy user and has write group permission. Try to load page in browser, and verify that no errors occurred.
Now you can forget about cache and logs permissions on this particular server for all subsequent projects.
I have a AWS ec2 instance with Amazon Linux AMI running. As the web server I installed Apache and the web directory is /var/www/html.
Until now I had the permission for /var/www/html set as 777 under the user c2-user (chmod -R 777 /var/www/html).
I read, that you should usually have set the 644 permission for web access. But as soon as I do that, I get the 403 forbidden error message. What do I have to change?
The difference between '7' and '6' is the execute bit. That's important on directories because it allows other users to enter the directory. Since the dir is opened by ec2-user and Apache runs as another user, the third number (of 777) comes into play.
On individual files it may be okay to use permissions of 644, as that prevents other users from being able to modify the file. This isn't always true, though- executable files need the executable bit and logs need to be writeable by their process.
Here's a quick overview on directories and unix permissions: https://unix.stackexchange.com/questions/21251/why-do-directories-need-the-executable-x-permission-to-be-opene
I have a big doubt how to setup Apache and Pure-FTPd. I don't know how set folder permissions and secure users to not access other folders outsite their home directory.
My scenario:
Apache running defaults (group apache, user apache)
Pure-FTPd using Pure-DB (internal database, not Linux users) - installed using group "ftpusers" and user "ftpuser"
all sites in /sites
I did:
chown apache:apache /sites -R
To create an user on Pure-FTPd:
pure-pw -u myuser -d /sites/onesite -u ftpuser -g ftpusers
pure-pw mkdb
This way I can connect to a FTP account but cannot transfer (permission denied) or delete files.
I can set all /sites to 777 but I know this is not correct. I want to know the correct way, so users can upload/delete files, Apache can read/write files in each website, and if a user upload something to try read outside the /sites directory he gets an error.
Please, help me to secure my webserver using Apache and Pure-DB, plus Linux permissions.
Thank you!
Roger
Not sure if this is correct: I've created the FTP user using "apache:apache"
pure-pw -u myuser -d /sites/onesite -u apache -g apache
pure-pw mkdb
and set:
chmod 770 /sites -R
So everything runs on apache:apache.
Same issue here. I solved it lowering /etc/pure-ftpd/conf/MinUID to my www-data UID number. Though I'd like to know if there is a better solution.
Hope you are good. I have Xammp on fedora and changed owner of opp/lampp/htdoc to root. Why I did so because whenever someone creates new folder through sharing, they don't have permission to dynamically create folder or files or to write images. Then I run command
chmod -R 777 /opt/lampp/htdocs
But when system goes to restart then I again need to run this command. So avoid again and again run this command I changed the owner on "opt/lampp/htdocs" and run
chmod -R 777 /opt/lampp/htdocs
Now, whenever server restarts, assigned permissions don't need to be set again and again. That is resolved.
I have an issue, that old directories can be used to write something. But if any network user creates new directory under htdocs, that new directory needs to be changed the permission for it.
previously created, and can use this one directory to run script to create files
drwxrwxrwx 2 root root 4096 2011-06-15 14:09 aaa
Newly created, cannot be used to run a script to create image or to write anything
drwxr-xr-x 2 root root 4096 2011-06-17 15:17 aaaa
drwxr-xr-x this one is really annoying to me for each newly created folder in htdocs :(
Just to let you know that my htdocs user and rights are:
drwxrwxrwx 101 root root 4096 2011-06-17 15:17 htdocs
Why is it so? Can anybody please help me to figure this problem out? I am waiting for quick response anxiously.
First off, you should investigate what permissions you really need - chmodding everything to 777 is a security risk as it will allow any user to write inside of your web root.
However, to address your actual question of the default permissions when a new folder is created by a user, you want to adjust the default "umask" which determines such things.
This question has some information for changing it for the Apache user (if a "network user" is a user creating new files and directories through the httpd process):
Setting the umask of the Apache user
If you need to adjust it for other users or processes, the solution will be similar.
Good luck!
Edit
Since you're on Fedora, try this: (from the question I linked above)
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart
The first command will add that line to the /etc/sysconfig/httpd which is a permanent configuration file, and the second command will make it active.
You are tackling the problem from the wrong side. Restore your apache configuration to use apache.apache as default user/group, and set your samba server to use those credentials when someone write to your document root.
If you are using nfs or another posix compatible filesystem, use chmod g+s to keep all files readable from your apache server.
Try it:
#umask 000
have a good time!!