Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Recently switched from a hosting service running nginx to one running apache. I have some php scripts that i use to create / modify certain files on the server. Am now running into permissions problems because apache assigns a different user id to my php scripts than my usual ftp / sftp login id.
Why does apache assign a different uid? Or is this a php.ini setting? How can my php scripts modify a file that belongs to the real uid, without setting the permissions to writable for all (chmod a+w)? Don't think i have the ability to change php.ini on this server.
If modifications don't happen often, you could use php to open a ftp session then use ftp commands to modify files.
Maybe consider porting data to be manipulated in a database.
If modifications don't happen often, you could use php to open a ftp session then use ftp commands to modify files.
That sorta works, a least it helps me get past the files permissions problem in the php scripts. But the main problem still exists: that my principal ftp / sftp access uses my account user id, and php scripts use a different uid ('web'), even when in an ftp session within my php script. So even if i can now manipulate the files in a php script, any new or renamed file possesses the php-assigned uid, and then i may have difficulty maintaining the file in my normal ftp / sftp.
Am puzzled why apache uses a different user id in php scripts, while nginx used the same one?
It depends on how the hosting service configured apache, there are hostings (often hostings that advertise being compatible with php cart applications) where the virtual host user owns the files (so php can create / overwrite files in a directory with 0755 permission)
If this is a requirement, change your hosting service
Yes, i was able to modify the apache.conf on my home system to run with my user and group id, but it appears that, with regard to apache config settings, i am dead in the water on my hosting server.
However, i just found on my hosting service FAQ page that they will allow me
Quote:
to set the suid and/or sgid file permission bits on CGI applications. When the suid bit is set, the web server will execute the script using the user id of the owner of the script (provided that the owner of the script is you).
, which means, i presume, that i may set the uid bit on any particular php script, being careful to control access to that script so as not to create a security hole.
Will experiment with this, and try to report back here later.
No that means it's for CGI scripts, eg the scripts that are in a CGI directory. Directory path is whatever value for CGI directory that is configured in your web host, usually there is just one CGI directory per user account.
But yes, any script here with suid bit set will execute commands with your user permissions
I notice that the FAQ did specify CGI, that is, true executable files. Since php scripts are not true executables (their executable bits needn't be set - they run under apache / php binaries), i may have to change this whole process to work as a cgi script or binary.
Will leave this thread as 'unsolved' for now in case someone knows a better, more elegant workaround.
Maybe you can use php as cgi if php was compiled with cli option (it is by default)
with a script like
Code:
#!/usr/bin/env php
<?php
phpinfo();
?>
Edit: just to be clear, such script has to have executive bit set and it must reside in CGI directory
My server doesn't use a CGI directory; the faq says any directory may contain a cgi process. And that if i set the uid for a given cgi executable, it will execute the owner's (my) privileges, not the web's. That is what i've just tried to accomplish, with no success. Have posted to my service's forum as well, to ask why this doesn't seem to work in accord with their faq page.
Am currently running a php script that calls the cgi executable. Have tried setting the exec bits (and uid bit) for the php script, makes no difference.
Is the top line in your example
Code:
#!/usr/bin/env php
important, or is your code snippet just to help me see if the cli option is set? (It doesn't appear to be enabled, at least i don't see anything that says so in the phpinfo() tables, although the credits section toward the end mentions the authors of CGI, FASTCGI and CLI w/o saying that these features are enabled).
I do have a (limited, i suppose) ability to create my own secondary php.ini. What would solve this for me would be to alter the USER and LOGNAME variables in the php environment, but i fear this would require modifying the apache config, which i can't do.
My first error was in invoking the cgi script via exec(). On my home apache, this works fine, and if i set the script's 'set-uid' bit, it runs with my uid and permissions. But apparently my hosting service only recognizes the script's uid bit if the script is run as a true cgi process, using stream_get_contents() and invoking the full url ("http://...").
Am now invoking the perl script from my php script as a true cgi, and, with the script's 'set-uid' bit set, it runs with my uid and permissions. Will mark this thread as solved.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.