PHP - dynamically create folder and reassign ownership

adymroxx · 04-30-2009, 04:07 PM

I’m building a web interface to modify a database we use within our office and I’ve run into some problems with file permissions. My plan is to assign each user that accesses the web interface a unique ID, stored in a PHP session variable. This ID will be used to create a temporary working directory in /tmp (ex: /tmp/ndb123456789). This directory will be used to store a working copy of the database. The uniquely named directory will prevent a user who is currently making edits from being overwritten by someone else accessing the interface. After the user is done with their editing, their changes will be merged with the actual database.

Here is my code for the top of the first page:

Code:

<?php
  include 'includes/db.inc';
  session_start();
  if(!isset($_SESSION['active'])) {
    $_SESSION['active'] = rand(1, 1000000000);
    $tempdir = "/tmp/ndb/".$_SESSION['active'];
    $status = system(“mkdir $tempdir”, $retval);
    $status = system("mysqldump -u $db_user --pasword=$db_pass --tab=$tempdir $db_name",$retval);
  }
?>

Unfortunately, all this does is create the directory and then crash out on the mysqldump. When I enter those commands manually through the CLI, I see that the mysqldump only works if the mysql user (mysql) owns that directory. When the above code runs, the user “daemon” creates the directory and therefore owns everything inside of it, preventing mysqldump from running.

Which brings me to my question: is it possible to create a directory from a PHP system call and change the permissions to allow mysql to access it (system(“chown mysql:mysql $tempdir”) doesn’t seem to work). Am I going about this in entirely the wrong way?

Any help would be greatly appreciated.

ilikemonkeys111 · 04-30-2009, 10:09 PM

turns out php has its own mkdir and chmod commands. You might try those.

Code:

bool mkdir  ( string $pathname  [, int $mode= 0777  [, bool $recursive= false  [, resource $context  ]]] )

Code:

bool chmod  ( string $filename  , int $mode  )

Just out of curiosity, why do you need to store a working copy of the database? You may want to consider something like mysql.

adymroxx · 05-01-2009, 09:10 AM

I just tried PHP’s mkdir with 0777 permissions and it’s still not working. User daemon still claims ownership of the directory, preventing the mysqldump from working. When I run the commands in the above code manually from the CLI as root it works. I have to run a “chown mysql:mysql $tempdir” in effect for it to work however. PHP’s chown doesn’t allow user daemon to change its ownership.

I am using MySQL. My plan is to keep a solid, “official” database. When a user accesses the web interface, a copy of the database is made into their temp directory so they have something to work off of. This allows for some sanity/error checks before they export their changes to the official database – without interrupting the official db.

This is really a proof of concept right now. Maybe I’m going about this the wrong way. However, I think this question can be boiled down to whether or not it is possible for PHP to create a directory for another user. Chmod and chown don’t seem to be working either.

Acron_0248 · 05-01-2009, 10:21 AM

The thing with chmod and chown is that, as you've already pointed out, you need to be root to use then

Sadly enough, one thing that might help you with those commands will be using them through sudo and without a password but that doesn't seem to be a good solution. Just to clarify what I mean, the following sudoers entries should let you do what you want:

Code:

apache localhost=(root) NOPASSWD: /bin/chmod
apache localhost=(root) NOPASSWD: /bin/chown

Obviously, this will be a serious thing to do because if "someone", maybe doing pentesting for the webapp, come to know that is possible to change mode and ownership of files, then you'll be in a hell of a trouble.

Other thing that you might want to consider instead of your current approach is to make the DB backup using php instead of mysql's client mysqldump, for instance, from PHP, this might be useful:

PHP Code:



 
mysql_query("SELECT col1, col2 INTO OUTFILE '/tmp/unique_dir_here/somefile'");

That's just an example, you should work in a more complete query, but basically, the idea will be to use mysql functions of PHP to create the backup instead mysqldump, by using PHP itself you avoid having troubles with file/directory permissions

Good luck

haxple · 05-02-2009, 12:50 PM

Quote:

Originally Posted by adymroxx

My plan is to assign each user that accesses the web interface a unique ID, stored in a PHP session variable. This ID will be used to create a temporary working directory in /tmp (ex: /tmp/ndb123456789).

1.- Its a random number, random numbers can repeat, so you have to check if a user is not using alredy that database/folder/whatever
2.- Try chmod

PHP Code:



<?php 
  include 'includes/db.inc'; 
  session_start(); 
  if(!isset($_SESSION['active'])) { 
     
  //Its a random number, random numbers can repeat, so you have to check if a user is not using alredy that database 
  $random = rand(1, 1000000000); 
  if (is_dir("/tmp/ndb/".$random)){ 
    $random = rand(1, 1000000000); 
  } 
     
    $_SESSION['active'] = $random; 
    $tempdir = "/tmp/ndb/".$_SESSION['active'];     
    $status = system(“mkdir $tempdir”, $retval); 
    $status = system(“chmod 777 $tempdir"”, $retval); 
    $status = system("mysqldump -u $db_user --pasword=$db_pass --tab=$tempdir $db_name",$retval); 
  } 
?>

aspire1 · 05-02-2009, 03:17 PM

Just my penny's worth, I thought mysql had built in functionality for this sort of thing and at the least you could have a boolean field that indicates whether a row/record is editable at any particular point in time.

bigearsbilly · 05-02-2009, 04:48 PM

only root can change the owner of a file to another.