LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   (Permissions?) Problem with gphoto2 and php. (http://www.linuxquestions.org/questions/linux-server-73/permissions-problem-with-gphoto2-and-php-844608/)

cupofnestor 11-16-2010 09:33 AM

(Permissions?) Problem with gphoto2 and php.
 
I recently discovered gphoto2 as an alternative to commercial PTP/Camera Control software. I'm tasked with designing a photo-booth kiosk for several museums. My intention is to front-end the thing with an adobe air gui. The gui will call scripts to operate the camera through gphoto2, and since the endpoint of the photos is an emailed message, I thought mysql/php would be appropriate.

The problem is this: gphoto2 cannot run correctly from a php script. I immediately realized the need to allow the www-data user access to the usb camera, and so I added www-user to the plugdev group.

As it stands, I can run gphoto2 like so:

Code:

sudo su www-data -c 'gphoto2 --capture-image'
even:
Code:

$sudo su www-data
$php -r 'echo exec("gphoto2 --capture-image");'

The above php will NOT work when run from a browser. I get a standard error message when I do so.
Code:

For debugging messages, please use the --debug option. Debugging messages may help finding a solution to your problem. If you intend to send any error or debug messages to the gphoto developer mailing list , please run gphoto2 as follows: env LANG=C gphoto2 --debug --debug-logfile=my-logfile.txt --debug --debug-logfile=/var/log/gp-logfile.txt --capture-image-and-download Please make sure there is sufficient quoting around the arguments.
Any suggestions?
Code:


Ubuntu 9.10

Server version: Apache/2.2.12 (Ubuntu)

PHP 5.2.10-2ubuntu6.5 with Suhosin-Patch 0.9.7 (cli) (built: Sep 16 2010 20:04:48) '


stress_junkie 11-16-2010 10:16 AM

Since it works under the www-data account I'd be tempted to just create a bash script that calls gphoto2 --capture-image, place the script in the www-data directory and suid it to www-data.

cupofnestor 11-16-2010 10:32 AM

good Idea.
 
Not QUITE sure what you meant, but I did make a bash script. chown'd it to root:root and chmod'd it to 4755. The way I see it, it should be executable with root permissions by www-data. When I run the script as before with php-r, it works. Still will not work in a browser though.... could it be a timeout problem?

Quote:

Originally Posted by stress_junkie (Post 4160744)
Since it works under the www-data account I'd be tempted to just create a bash script that calls gphoto2 --capture-image, place the script in the www-data directory and suid it to www-data.


stress_junkie 11-16-2010 11:42 AM

Quote:

Originally Posted by cupofnestor (Post 4160756)
Not QUITE sure what you meant, but I did make a bash script. chown'd it to root:root and chmod'd it to 4755. The way I see it, it should be executable with root permissions by www-data. When I run the script as before with php-r, it works. Still will not work in a browser though.... could it be a timeout problem?

I you are running it as root then the files it creates will be owned by root. If you run it as www-data then the files that it creates will be owned by www-data.

Check for www server errors on the server. Then check file ownership and permissions on the data files.

cupofnestor 11-17-2010 09:26 AM

Quote:

Originally Posted by stress_junkie (Post 4160744)
Since it works under the www-data account I'd be tempted to just create a bash script /.../ suid it to www-data.

After looking around a bit, it seem sthat suid only works on binaries in linux.

GrapefruiTgirl 11-17-2010 09:35 AM

Quote:

Originally Posted by cupofnestor (Post 4161862)
After looking around a bit, it seem sthat suid only works on binaries in linux.

That is correct.

Also, if I remember correctly from my own experiences using gtkam and/or gphoto2 with my camera(s) here, is that the camera program itself must be suid-root in order to access the hardware (the camera). If it isn't already, perhaps try that (though I have no idea what sort of security implications this imposes on your kiosk arrangement).

cupofnestor 11-17-2010 10:00 AM

Quote:

Originally Posted by GrapefruiTgirl (Post 4161868)
That is correct.

Also, if I remember correctly from my own experiences using gtkam and/or gphoto2 with my camera(s) here, is that the camera program itself must be suid-root in order to access the hardware (the camera). If it isn't already, perhaps try that (though I have no idea what sort of security implications this imposes on your kiosk arrangement).

**EDITED**

chmod +s /usr/bin/gphoto2 fixed the php problem! Thanks, Grape!

Now, I just have to figure out how to make the files which gphoto2 creates accessible by www-data. As it is now, they are root:root.

Well, permissions seem to only be a part of the problem. As you can see in my initial podt, I can run gphoto from the shell as www-data, even with commandline php. I think the problem has to do eith the apache/php config, it is as if php is not 'waiting' for the process to complete or something.??

cupofnestor 11-17-2010 01:58 PM

Thanks for your help
 
Quote:

Originally Posted by cupofnestor (Post 4161906)
**EDITED**

Now, I just have to figure out how to make the files which gphoto2 creates accessible by www-data. As it is now, they are root:root.

So, for future generations, here is the solution:

gphoto2 permissions should be as follows:
-rwsr-sr-x 1 root root

Since gphoto is root:root, any files it creates are as well. I soved this by creating a bas script which chowns the files to www-data:www-data. Then, I added a line via visudo:
%www-data ALL=NOPASSWD: /var/www/photo/changeOwner.sh

and executed this script from php: exec('sudo ./changeOwner.sh myfile.jpg').

This still leaves a security hole with www-data being able to execute the script as a superuser, but that should be remedied by removing read and write privileges.

chrism01 11-19-2010 12:33 AM

Thought I'd just point out that
Code:

sudo su www-data
logs you in as www-data user BUT with your orig environment settings.
To get the real www-data env you need
Code:

sudo su - www-data

cupofnestor 11-21-2010 06:01 PM

Quote:

Originally Posted by chrism01 (Post 4163925)
Thought I'd just point out that
Code:

sudo su www-data
logs you in as www-data user BUT with your orig environment settings.
To get the real www-data env you need
Code:

sudo su - www-data

Cool, thanks. By "settings" are you suffering to the shell settings?


All times are GMT -5. The time now is 10:13 PM.