LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-06-2015, 06:47 AM   #1
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Rep: Reputation: Disabled
How would I solve something like this?


Seems like apache/php has no rights to modify any files in admin/scripts (and probably all other 777 directories like cache...

Code:
Warning: touch(): Unable to create file /var/www/html/domain.com/admin/scripts/csv_photo_log_thread0.txt because Permission denied in /var/www/html/domain.com/admin/csv_photos_stats.php on line 21
Warning: chmod(): No such file or directory in /var/www/html/domain.com/admin/csv_photos_stats.php on line 26
I installed a program / script, and I followed their instructions of what files and folders should be chmod'ed to 777, so everything would work. I am now told that apache / php dont have rights necessary for the program to work (or certain aspects of it).

Can you tell me how would I go about this? How to check what permissions apache / php have, what they should be for the program to work, and how to adjust the settings.

It is a fresh / clean installation of the latest release of CentOS7. I am fairly new to this, so I am not sure how would I go about this.

Edit:

I have SETFACL set on /var/www/html foleder. It looks like Apache / PHP cant get through this (or maybe /var/www) settings in order to do what is needed. I thought that the default settings of both would be ok (Apache Web Server / PHP), but I guess something does not work with this script. I have the newest version of Wordpress installed, and everything works as it should, 100).

Edit:

getfacl /var/www/html gives something like this:

# file: var/www/html
# owner: root
# group: root
user:rwx
user:user_one:rwx
group:r-x
mask:rwx
other:r-x
default:user:rwx
default:user:unser_one:rwx
default:group:r-x
default:mask:rwx
defaultther:r-x (this is default[colon]other[colon]r-x)

Like I said, I did chmod -R 777 on all required folders and files (this was recursively), based on the installation instructions. I kind of dont understand what sort of permission settings could be getting in the way... Like I said, Wordpress works 100% fine (newest version).

Last edited by AdultFoundry; 11-06-2015 at 08:37 AM.
 
Old 11-06-2015, 09:59 AM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 1,687

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Looks like an SELinux issue. To confirm this, check if the inaccessible directory is in /var/log/audit/audit.log.
If so, you need to set the SELinux context on this directory tree. This should be possible with restorecon or chcon in your case; search the web for detail (I would look for "httpd selinux" or "httpd restorecon" to start).

Or perhaps somebody else knows what to do without having to look it up.
 
1 members found this post helpful.
Old 11-08-2015, 06:42 AM   #3
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Original Poster
Rep: Reputation: Disabled
I also thought it was SELinux related, initially. I switched it to Permissive mode in /etc/sysconfig/selinux, and everything worked. I then run the following commands:

# getsebool -a | grep httpd

These three need to be set to on:

httpd_enable_cgi
httpd_unified
httpd_builtin_scripting

It is not the only solution, but it is the easiest way to solve this at this point. It is possible to configure it on a domain by domain basis too (more advanced).

# setsebool -P httpd_unified on
# nano /etc/sysconfig/selinux - change back to Enforcing mode
# reboot

Everything works...

Thanks.
 
Old 11-08-2015, 08:23 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
SELinux uses several different labels to protect apache from vulnerabilities. What you are doing is removing the protections. Making things world rwx allows anyone to delete/replace... and create their own malware server...


Apache directories are labeled with the type httpd_sys_content_t, which allows apache to read it, but nothing else.

If you want apache to write to things they have to be labeled httpd_sys_rw_content_t, but that is a weakness.

If what is being written to are CGI files... not gonna happen. For CGI to be executed by apache they have to be labeled with the type "httpd_sys_script_exec_t" which again is write protected.

The goal is to protect the rest of the system from vulnerabilities. Apache is confined to only what it is allowed to read and write by the system administrator.

https://access.redhat.com/documentat...TP_Server.html
 
Old 11-09-2015, 12:54 AM   #5
AdultFoundry
Member
 
Registered: Jun 2015
Posts: 245

Original Poster
Rep: Reputation: Disabled
I have a php script installed on domain.com. Not all the features of the program were working correctly, as they were blocked by SELinux in some way. What would be the best way to solve it? Modify it on the domain.com only? Or maybe go down to directories that the script needs?
 
Old 11-09-2015, 06:23 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Modifying the domain doesn't change the confinement.

You would have to go through the base directories required by the PHP script and set them appropriately for the script. Now, files and directories created BY the script within those modified directories should not be a problem - they will inherit the labels from the parent directory.
 
Old 11-09-2015, 03:24 PM   #7
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,818

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
Quote:
Like I said, I did chmod -R 777 on all required folders
WHY ? WHY ?


now you have to not just fix the permissions to the CORRECT ones
but you also has a SELinux context nightmare to fix

this IS fixable but

30 to 50 min to reinstall the os and apache
or
1 to 3 days( or more) to fix
IF "restorecon" can not fix it

try this -- hopefully the system will auto relabel and fix it

set "setenforce=0"
reboot

then set it to
"setenforce=1"
reboot and let THE ENTIRE set up of drives relabel
this might take a full day or more if it is a HUGE raid array
or if it is a tiny 80 gig drive about 30 min to 1 hour

Last edited by John VV; 11-09-2015 at 03:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to solve solve broken shell problem prasanth.george Red Hat 1 01-21-2011 10:48 AM
Help me to solve this. voduygiang Linux - Wireless Networking 2 10-16-2010 10:20 PM
HELP help!!! help me solve this please!! (T.T) anzdyy Linux - Desktop 3 09-08-2007 04:32 AM
HELP help!!! help me solve this please!! (T.T) anzdyy Linux From Scratch 5 09-08-2007 03:12 AM
HELP help!!! help me solve this please!! (T.T) anzdyy LinuxQuestions.org Member Success Stories 1 09-08-2007 02:35 AM


All times are GMT -5. The time now is 06:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration