changing the user for apache/php?
 

hello everybody,

i'm quit unexperienced in linux but have to solve a problem. i have to develop a php script, that acts as a man-in-the middle for a db-like-software and a webshop. this should run on a server within a DMZ, behind two firewalls, that should filter every request from other sources, than the eshop, and any other protocol than HTTPS. this server is a debian-machine, with a apache 2.2 and php 5.3. i've installed apache and php without any problems, installed openssl, generated a certificat and installed it. i testet the connection successfully. the eshop-server can connect to the server inside the DMZ without problems and receives a correct answer.

now to my problem. the db-like-software (called "netbasic") generates a csv-file in a fixed directory. this csv-fils has an owner called "netbasic". the file-access-rights are: -rwxr--r-- (i've some problems to interpret this. i know, r stands for read and w for write, x for both and the order is for different usergroups). my problem is now, that my php-script tries to read the file (successfull), generates output (successfull) and then deletes the file (failed -> permission denied). i figured out, that the problem is, that apache (or, i don't know, just php) don't runs as root and has therefore no write-permission.

because the server is already secured with the firewalls, we, my workmates and me, don't see a problem, to change the apache-user to root. but i don't know how this is done and don't know, what to search for.

maybe someone of you could be so kind, to give me a tip

thank you very much
wayne

Not quite right. r is for read, w is for write and x is for executable. The first triplet is the permissions for the owner, the second triplet for the group and the third is for absolutely everyone. So in your example, the owner can read, write and execute the file, whatever group has been specified can read it and everyone can read it.

I get that this is a well insulated machine, but having apache owned by root is just bad practice, particularly when there is probably a much easier solution, namely messing with the group a little bit. If you have a netbasic user, that user must belong to a group (run ls -l on the file to find out which group owns it). Change the group ownership to the apache group and give the group rwx rights to the file (chmod 775). That should allow the apache user to read/write and delete it. The netbasic user shouldn't be affected since they remain the owner.

thanks Hangdog42 for your answer.

first a word to the meaning of the rights. yes, of course, you are right. now, when i read your explenation, i remember, having heard about that in university. but that so long ago, i couldn't remember anymore. thank you.

the other thing, my main problem. you're right, too, but i think, i havn't told enough, so you would see, that this, doesn't solves my problem. every time, i make a query to "netbasic" i have to write the requested data into a csv-file into a special directory. last depends on the query. every query-directory has an "in" and an "out" subfolder. my csv-query-file is instantly read by netbasic and deleted. netbasic calculates the answere and writes a file with the same name to the out-dir. if the filename already exists nothing happens. therefore i have to read the answere and delete it afterwards. it doesn't work, that i logon with root and change the file-permmissions.

but i believe you, that making the apache-user-group the parent of the netbasic-user-group would be a part of the solution. i even wouldn't have a problem with making the apache run under the same user as netbasic, because the apache is only installed for this purpose. i just don't know, how i can do thees things and give apache (my php-script) the permission, to delete the answere-file.

beside, i forgot to mention, it's a debian with a 2.6.18-6-686 kernel.

thank you very much
wayne

The only other approach I can think of would require netbasic to change the permissions or ownership itself after writing the file.


You know in this situation, having apache run as the same user as netbasic might not be a bad idea. Normally you want Apache running as a non-privileged user without shell access since that limits damage in case of a compromise, but this isn't a normal situation. You would have to go back and make sure that the server tree was owned by the new user, but that should be trivial to do.

you mean, just changing the owner of the apache files makes apache run with different userprivileges? that would be the answere i'm looking for.

Not quite. To run apache as a different user, you need to change the User and Group directives in your httpd.conf file and then restart apache. However, the existing files apache is currently serving will still be owned by the previous apache user and the new apache user may not be able to read them. For example, my apache server runs under the user apache and the group apache. All of the files it serves are in a directory that is owned by apache:apache. If I were to change httpd.conf so that apache is now run under the netbasic user and the netbasic group (netbasic:netbasic), the server could no longer read the files owned by apache:apache. So I would need to go in and change the ownership to netbasic:netbasic.

thank you Hangdog42,

i solved the problem. in etc/apache2/apache2.conf are two entries. one for the username and one for the groupname, that starts the apache2 service. i changed theese entries to the netbasic-user, in my case with the name "netbasic", member of group "users". thats everything i changed. it was not necessary to change the ownership of the apache-files. "netbasic" has read-access to nearly everything on the system. that is no problem, because the system is very isolated within the lan of the company i work for. read-access to its own direcotries seems to be the only access, an running apache service needs.

so once againg: thank you very much Hangdog42.
wayne

Glad I could help. Yeah, even though this solution is unorthodox from a normal Apache operations standpoint, it probably is the easiest way to deal with this particular problem since the server is pretty isolated. Thanks for posting your solution.