Why does Apache + PHP require execution permissions to write to a file? - linux

It has always baffled me that if a folder has read and write permissions, Apache + PHP can't write to it. You have to end giving apache execution permissions to be able to write a file in that folder. Why?
For example with chmod 664 (where the build group includes the apache user) apache won't be able to write a temporary cache file in this folder:
drw-rw-r-- 5 jenkins build 4096 Jun 15 13:05 cache
while with chmod 774 apache will be able to write a new file to the folder:
drwxrwxr-- 5 jenkins build 4096 Jun 29 11:44 cache

You need execute permission to conceptually enter a directory (cd into it, list files within, etc.). It would have been clearer if they called this bit something else for directories. This article recommends thinking of it as the "search" permission on directories.

When these permission are set for a directory it gives ability to access metainfo and accessing to contents I think this is why you need execute.

Related

mod_perl can't see files in /tmp

I have some mod_perl code trying to access a file under /tmp ... but it throws a 'no such file or directory' error. I added an 'ls -al /tmp' to my code to see what Perl was seeing inside the directory, and it only gave me . and .. :
drwxrwxrwt. 2 root root 6 Jan 21 13:36 .
drwxrwxrwx. 18 root sysadmin 4096 Nov 22 22:14 ..
In reality there are a mixture of files under /tmp, including some owned by the Apache user. Changing my code to 'ls -al /' gives a correct directory listing (nothing missing).
I tried sudo'ing to the Apache user, and can see under /tmp file, so it must be something mod_perl related.
Ideas? I'm running mod_perl 2.0.8 and Apache 2.4 under CentOS 7. SELinux is set to permissive.
So based on comments the answer here is - it's an RHEL 7 feature.
https://securityblog.redhat.com/2014/04/09/new-red-hat-enterprise-linux-7-security-feature-privatetmp/
PrivateTmp=
Takes a boolean argument. If true sets up a new file system
namespace for the executed processes and mounts a private /tmp
directory inside it, that is not shared by processes outside of
the namespace. This is useful to secure access to temporary files
of the process, but makes sharing between processes via /tmp
impossible. Defaults to false.

Git Install Script How to enter shell command

This is more of a git related question than openshift.
When I push files to the git server using git, I see that the file permissions of my perl index.cgi file gets changed to 700 in my openshift repo.
Hence every time I do a push, I have to log in to the server using ssh and do a chmod a+x index.cgi in my $OPENSHIFT_REPO_DIR to change it to 755.
I read in the git documentation it is possible to add a hook and I tried updating the post update script in the hooks directory with the following command
exec chmod a+x $OPENSHIFT_DATA_DIR/index.cgi
However that does not seemed to have worked.
Can you please tell me what I am doing wrong ?
How can I ensure I don't have to make the chmod change every time I push files ?
How does one execute shell commands via the git install script (I don't know what is install script, I assume it means the hooks)
based on a below suggestion i thought i would need to add the hook to the server so i tried it but i got an error
$ git add .git/hooks/post-update
error: Invalid path '.git/hooks/post-update'
error: unable to add .git/hooks/post-update to index
so i tried some options using action hooks by placing a "start" in the local .openshift/action_hooks directory.
The command there ive tried to use was
exec chmod a+x register.cgi and even chmod a+x register.cgi
Not much luck. Any inputs. I will be raising this as a separate q against actionhooks.
This is more of a git related question than openshift.
Actually, it is more related to openshift than it is to Git: Git only records 644 and 755 permissions.
But the destination system managing a checkout (and updating a working tree) would set the permission according to the default umask (which could be in your case 077).
Make sure the default umask is 022.
Regarding the hook, check its name ('post-update', no extension) and permission (it must be executable, 755 would be useful)
Bring authority in this case gitweb folder.
gitweb/
drwxr-xr-x 3 root root 4096 Sep 25 12:01 .
drwxr-xr-x 225 root root 12288 Oct 27 20:10 ..
-rwxr-xr-x 1 root root 251319 Sep 23 04:36 gitweb.cgi
lrwxrwxrwx 1 root root 10 Sep 23 04:36 index.cgi -> gitweb.cgi
drwxr-xr-x 2 root root 4096 Sep 25 12:01 static

Linux: share permissions between users for SVN folders

On a Ubuntu machine I've setup a SVN repository, served with Apache.
All the SVN repository folders and subfolders (located under /var/svn/repos/) belongs to www-data user and group:
drwxr-xr-x 7 www-data www-data 4096 gen 21 10:38 software_repository
www-data is the Apache user.
Next I've a cron job that makes a nightly svnadmin dump of the repository, using my home user, let's say john_doe (joining the www-data group too). svnadmin dump command (and more...) are contained in a sh file called by the crond.
During cron job or launching it manually using user john_doe I get:
svnadmin: E160052: Revprop caching for '/var/svn/repos/sw/software_repository/db' disabled because SHM infrastructure for revprop caching failed to initialize.
svnadmin: E000013: Can't open file '/var/svn/repos/sw/software_repository/db/rev-prop-atomics.mutex': Permission denied
Because of Permission denied error, I've run the same sh script prepending sudo command, and everything works fine.
So, we have 2 possibilities:
Understand where the SVN error come from.
Change permissions in a correct way for the john_doe user, used by cron.
For point #1 I've done some Google search but I've found nothing...
For point #2, I think the correct way is not to set all permissions (recursively) of the group www-data to all SVN folders and subfolders. What it could be done is to share permissions on SVN folders between www-data user and john_doe. Or give to the www-data group the same permissions (recursively) of the www-data user. Or something else, but for both solutions I've no idea of the correct command or configuration setting.
Solved running command:
chmod -R g=u software_repository
This fix is for solution 2. By the way I've no clue where the SVN errors come from...

Permission of the webpage folder /var/www on a Linux server

I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www

Getting error that the database is locked when refreshing the page

I am running apache with mod mono and my asp.net app is using mono sqlite as its db. When i refresh the page twice i get the DB is locked error. The folder it is in is chmod 777. The webapp is creating sqlite.db and sqlite.db-journal but it doesnt seem to be able to delete the journal. Also it has problems when i load the page once. It definitely seems to be a permission problem.
i'm confused. What permissions do i need to set these? i tried precreating the files using 777 and had no luck.
-edit- I didnt find a solution however i thought how silly i was being since i was planning to use mysql for my webapp. So i just ported the code and i no longer had issues.
When creating/deleting a file the directory permission matter.
So, if you really want that, you have to set the containing directory's permissions to 777.
Sample:
$ ls -la
total 21
dr-xr-xr-x 2 me me 1024 May 22 19:19 . #no write permissions to directory
drwxrwxrwt 21 root root 19456 May 22 19:19 ..
-rwxrwxrwx 1 me me 0 May 22 19:19 abc #all permissions to file abc
$ rm abc
rm: cannot remove `abc': Permission denied #abc has 777, but deleting doesn't work
$ chmod 777 . #change directoy's permissions
$ rm abc #now removing works
$ ls #file abc is gone
The reason is that when you delete a file, you actually modify the directory and not the file itself.
Think of a hard link: The file itself will not change when you delete one hardlink to it, but the directory changes.
Sounds more like one instance of the session in apache is blocking the other session, i.e. has the db file open exclusively. Try to let the database(model) run as a singleton (or similar) which all sessions access.

Resources