LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-25-2010, 09:40 AM   #1
wayne0101
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Rep: Reputation: 0
changing the user for apache/php?


hello everybody,

i'm quit unexperienced in linux but have to solve a problem. i have to develop a php script, that acts as a man-in-the middle for a db-like-software and a webshop. this should run on a server within a DMZ, behind two firewalls, that should filter every request from other sources, than the eshop, and any other protocol than HTTPS. this server is a debian-machine, with a apache 2.2 and php 5.3. i've installed apache and php without any problems, installed openssl, generated a certificat and installed it. i testet the connection successfully. the eshop-server can connect to the server inside the DMZ without problems and receives a correct answer.

now to my problem. the db-like-software (called "netbasic") generates a csv-file in a fixed directory. this csv-fils has an owner called "netbasic". the file-access-rights are: -rwxr--r-- (i've some problems to interpret this. i know, r stands for read and w for write, x for both and the order is for different usergroups). my problem is now, that my php-script tries to read the file (successfull), generates output (successfull) and then deletes the file (failed -> permission denied). i figured out, that the problem is, that apache (or, i don't know, just php) don't runs as root and has therefore no write-permission.

because the server is already secured with the firewalls, we, my workmates and me, don't see a problem, to change the apache-user to root. but i don't know how this is done and don't know, what to search for.

maybe someone of you could be so kind, to give me a tip

thank you very much
wayne
 
Old 10-25-2010, 11:32 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
i know, r stands for read and w for write, x for both and the order is for different usergroups
Not quite right. r is for read, w is for write and x is for executable. The first triplet is the permissions for the owner, the second triplet for the group and the third is for absolutely everyone. So in your example, the owner can read, write and execute the file, whatever group has been specified can read it and everyone can read it.

Quote:
because the server is already secured with the firewalls, we, my workmates and me, don't see a problem, to change the apache-user to root. but i don't know how this is done and don't know, what to search for.
I get that this is a well insulated machine, but having apache owned by root is just bad practice, particularly when there is probably a much easier solution, namely messing with the group a little bit. If you have a netbasic user, that user must belong to a group (run ls -l on the file to find out which group owns it). Change the group ownership to the apache group and give the group rwx rights to the file (chmod 775). That should allow the apache user to read/write and delete it. The netbasic user shouldn't be affected since they remain the owner.

Last edited by Hangdog42; 10-25-2010 at 11:34 AM.
 
Old 10-25-2010, 12:14 PM   #3
wayne0101
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
thanks Hangdog42 for your answer.

first a word to the meaning of the rights. yes, of course, you are right. now, when i read your explenation, i remember, having heard about that in university. but that so long ago, i couldn't remember anymore. thank you.

the other thing, my main problem. you're right, too, but i think, i havn't told enough, so you would see, that this, doesn't solves my problem. every time, i make a query to "netbasic" i have to write the requested data into a csv-file into a special directory. last depends on the query. every query-directory has an "in" and an "out" subfolder. my csv-query-file is instantly read by netbasic and deleted. netbasic calculates the answere and writes a file with the same name to the out-dir. if the filename already exists nothing happens. therefore i have to read the answere and delete it afterwards. it doesn't work, that i logon with root and change the file-permmissions.

but i believe you, that making the apache-user-group the parent of the netbasic-user-group would be a part of the solution. i even wouldn't have a problem with making the apache run under the same user as netbasic, because the apache is only installed for this purpose. i just don't know, how i can do thees things and give apache (my php-script) the permission, to delete the answere-file.

beside, i forgot to mention, it's a debian with a 2.6.18-6-686 kernel.

thank you very much
wayne
 
Old 10-25-2010, 03:34 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
i have to write the requested data into a csv-file into a special directory. last depends on the query. every query-directory has an "in" and an "out" subfolder. my csv-query-file is instantly read by netbasic and deleted. netbasic calculates the answere and writes a file with the same name to the out-dir. if the filename already exists nothing happens. therefore i have to read the answere and delete it afterwards. it doesn't work, that i logon with root and change the file-permmissions.

The only other approach I can think of would require netbasic to change the permissions or ownership itself after writing the file.


Quote:
i even wouldn't have a problem with making the apache run under the same user as netbasic, because the apache is only installed for this purpose. i just don't know, how i can do thees things and give apache (my php-script) the permission, to delete the answere-file.
You know in this situation, having apache run as the same user as netbasic might not be a bad idea. Normally you want Apache running as a non-privileged user without shell access since that limits damage in case of a compromise, but this isn't a normal situation. You would have to go back and make sure that the server tree was owned by the new user, but that should be trivial to do.
 
Old 10-26-2010, 02:24 AM   #5
wayne0101
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
You would have to go back and make sure that the server tree was owned by the new user, but that should be trivial to do.
you mean, just changing the owner of the apache files makes apache run with different userprivileges? that would be the answere i'm looking for.
 
Old 10-26-2010, 07:03 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
you mean, just changing the owner of the apache files makes apache run with different userprivileges?
Not quite. To run apache as a different user, you need to change the User and Group directives in your httpd.conf file and then restart apache. However, the existing files apache is currently serving will still be owned by the previous apache user and the new apache user may not be able to read them. For example, my apache server runs under the user apache and the group apache. All of the files it serves are in a directory that is owned by apache:apache. If I were to change httpd.conf so that apache is now run under the netbasic user and the netbasic group (netbasic:netbasic), the server could no longer read the files owned by apache:apache. So I would need to go in and change the ownership to netbasic:netbasic.
 
Old 10-27-2010, 04:08 AM   #7
wayne0101
LQ Newbie
 
Registered: Oct 2010
Posts: 4

Original Poster
Rep: Reputation: 0
thank you Hangdog42,

i solved the problem. in etc/apache2/apache2.conf are two entries. one for the username and one for the groupname, that starts the apache2 service. i changed theese entries to the netbasic-user, in my case with the name "netbasic", member of group "users". thats everything i changed. it was not necessary to change the ownership of the apache-files. "netbasic" has read-access to nearly everything on the system. that is no problem, because the system is very isolated within the lan of the company i work for. read-access to its own direcotries seems to be the only access, an running apache service needs.

so once againg: thank you very much Hangdog42.
wayne
 
Old 10-27-2010, 06:46 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Glad I could help. Yeah, even though this solution is unorthodox from a normal Apache operations standpoint, it probably is the easiest way to deal with this particular problem since the server is pretty isolated. Thanks for posting your solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Which user runs apache/PHP? craseal Linux - Server 1 08-27-2010 11:54 AM
Changing user and group for Apache 2 & /var/www RDReavis Debian 4 04-06-2009 04:32 AM
Please help with Apache Web Server / Apache Tomcat / PHP / Java / PHP-Java Bridge jpmad4it Linux - Server 2 01-05-2009 06:07 AM
Apache + Php server file owners and user groups Seregwethrin Linux - Server 2 03-11-2008 02:15 PM
php apache or php cgi - php learner rblampain Linux - Security 3 12-17-2004 11:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration