changing the user for apache/php?
hello everybody,
i'm quit unexperienced in linux but have to solve a problem. i have to develop a php script, that acts as a man-in-the middle for a db-like-software and a webshop. this should run on a server within a DMZ, behind two firewalls, that should filter every request from other sources, than the eshop, and any other protocol than HTTPS. this server is a debian-machine, with a apache 2.2 and php 5.3. i've installed apache and php without any problems, installed openssl, generated a certificat and installed it. i testet the connection successfully. the eshop-server can connect to the server inside the DMZ without problems and receives a correct answer. now to my problem. the db-like-software (called "netbasic") generates a csv-file in a fixed directory. this csv-fils has an owner called "netbasic". the file-access-rights are: -rwxr--r-- (i've some problems to interpret this. i know, r stands for read and w for write, x for both and the order is for different usergroups). my problem is now, that my php-script tries to read the file (successfull), generates output (successfull) and then deletes the file (failed -> permission denied). i figured out, that the problem is, that apache (or, i don't know, just php) don't runs as root and has therefore no write-permission. because the server is already secured with the firewalls, we, my workmates and me, don't see a problem, to change the apache-user to root. but i don't know how this is done and don't know, what to search for. maybe someone of you could be so kind, to give me a tip thank you very much wayne |
Quote:
Quote:
|
thanks Hangdog42 for your answer.
first a word to the meaning of the rights. yes, of course, you are right. now, when i read your explenation, i remember, having heard about that in university. but that so long ago, i couldn't remember anymore. thank you. the other thing, my main problem. you're right, too, but i think, i havn't told enough, so you would see, that this, doesn't solves my problem. every time, i make a query to "netbasic" i have to write the requested data into a csv-file into a special directory. last depends on the query. every query-directory has an "in" and an "out" subfolder. my csv-query-file is instantly read by netbasic and deleted. netbasic calculates the answere and writes a file with the same name to the out-dir. if the filename already exists nothing happens. therefore i have to read the answere and delete it afterwards. it doesn't work, that i logon with root and change the file-permmissions. but i believe you, that making the apache-user-group the parent of the netbasic-user-group would be a part of the solution. i even wouldn't have a problem with making the apache run under the same user as netbasic, because the apache is only installed for this purpose. i just don't know, how i can do thees things and give apache (my php-script) the permission, to delete the answere-file. beside, i forgot to mention, it's a debian with a 2.6.18-6-686 kernel. thank you very much wayne |
Quote:
The only other approach I can think of would require netbasic to change the permissions or ownership itself after writing the file. Quote:
|
Quote:
|
Quote:
|
thank you Hangdog42,
i solved the problem. in etc/apache2/apache2.conf are two entries. one for the username and one for the groupname, that starts the apache2 service. i changed theese entries to the netbasic-user, in my case with the name "netbasic", member of group "users". thats everything i changed. it was not necessary to change the ownership of the apache-files. "netbasic" has read-access to nearly everything on the system. that is no problem, because the system is very isolated within the lan of the company i work for. read-access to its own direcotries seems to be the only access, an running apache service needs. so once againg: thank you very much Hangdog42. wayne |
Glad I could help. Yeah, even though this solution is unorthodox from a normal Apache operations standpoint, it probably is the easiest way to deal with this particular problem since the server is pretty isolated. Thanks for posting your solution.
|
All times are GMT -5. The time now is 03:27 AM. |