Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a php script that creats some files and moves them into certain directories. When the files are created, the ownership is www-data:www-data
When they are moved to the appropriate directories the maintain that. But, I need the files' ownership to be changed to asterisk:asterisk
However, www-data doesn't have permissions to do this. I don't want to run a cron as root that does this (I'm already doing that). I really wish there was a way for my files to be created via my php script and in that same file do something like:
system("chown asterisk:asterisk /home/test/test.call");
I have a php script that creats some files and moves them into certain directories. When the files are created, the ownership is www-data:www-data
When they are moved to the appropriate directories the maintain that. But, I need the files' ownership to be changed to asterisk:asterisk
However, www-data doesn't have permissions to do this. I don't want to run a cron as root that does this (I'm already doing that). I really wish there was a way for my files to be created via my php script and in that same file do something like:
system("chown asterisk:asterisk /home/test/test.call");
but that fails
any ideas?
How does it fail? What does it show you in the logs?
When you create the file, you (obviously) have permissions to write/modify it...why don't you do the chown on it, BEFORE you move it to the destination directory, since you can't do it once the file is moved?
How does it fail? What does it show you in the logs?
When you create the file, you (obviously) have permissions to write/modify it...why don't you do the chown on it, BEFORE you move it to the destination directory, since you can't do it once the file is moved?
The thing is, apparently I can't even chown of the file in the directory it is created in...
I tested by doing the following:
su - www-data
chown asterisk:asterisk 7854102216201006111810.00-20100611165928.call
chown: changing ownership of `7854102216201006111810.00-20100611165928.call': Operation not permitted
The thing is, apparently I can't even chown of the file in the directory it is created in...
I tested by doing the following:
su - www-data
chown asterisk:asterisk 7854102216201006111810.00-20100611165928.call
chown: changing ownership of `7854102216201006111810.00-20100611165928.call': Operation not permitted
Hmm....tried this on my system here, and it did the same thing. Never noticed that before.
Apparently, only root can chown a file to another user ID. A plausible workaround would be to add the www-data user into the SUDO'ers file, and give them no-password access just to the chown command. Then you could use the system call as "sudo chown asterisk:asterisk <filename>". That said, I'd make VERY sure that the www-data user can't run "chown root", just "chown asterisk"...otherwise, that's a nice security hole...
Why does it need to be owned by asterisk, why not just change permissions so that the user has full access to the file? At least that is more secure than giving sudo permissions to a service account which is designed to be limited in scope and usage.
Why does it need to be owned by asterisk, why not just change permissions so that the user has full access to the file? At least that is more secure than giving sudo permissions to a service account which is designed to be limited in scope and usage.
Very true, but my suggestion was to only grant SUDO access to one specific command. The OP had asked about how to chown it, so that's what I tried to address.
Very true, but my suggestion was to only grant SUDO access to one specific command. The OP had asked about how to chown it, so that's what I tried to address.
Understood, but I still stand by my position of not wanting to give www-data any sudo permissions, even if limited. In theory if www-data could do sudo chown it would be possible for that to change ownership of files /directories other than those intended.
Ultimately though without fully understanding what is going on, and why this is being done it is hard to make a call as to the best solution. I was just trying to come at it from another angle the OP might not have considered.
Totally agree, and it is a VERY bad thing to give SUDO away. But, in this case, if you limit that user to just a "chown asterisk" command only, the only thing that user can do is chown a file to another non-privileged user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
how can www-data chown a file?
