I am running a web site from home and have a DMZ consisting of a Ubuntu 11.04 web server and a Ubuntu 11.10 application server. When a user wants to upload files, I use InAFlash to upload the files to a directory on the web server. I would then like to use scp, embedded in a system call in a C++ application that is executable by www-data but not readable or writable by anyone, to copy the files to the application server.

The problem is that scp typically requires a password. I know how to get around this problem if I am using scp from the command line logged in as me. I just do

where 192.168.1.6 is the local IP-address of the application server and I can just type

and the files are copied with no request for a password.

However, to do this in a web application using php_exec(), I need to set things up as www-data. I am not sure how to do this since there does not appear to be an account called www-data.

Any assistance would be greatly appreciated,
Peter.

Is www-data on the application server. Does www-data exist in the app server? If so, use "scp -i www-datakey *.bin www-datakey www-data@192.168.1.6:/var/www/UploadDir/"

If not, what is the owner of the /var/www/UploadDir/ directory?

If you log in as another user, you need to use that user's private key or have your local public key in the remote users .ssh/authorized_keys file.

If there is no www-data user, then you need to log in as a user who has write access to that directory. Someone has to be the owner or a member of a group with write access.

1 members found this post helpful.

There is no file or directory called www-data on the application server. LAMP owns processes that are marked as belonging to www-data. I could make anyone the owner of the /var/www/UploadDir/ directory but there does not seem to be an actual account called www-data and LAMP only seems to have access to files and directories that are owned by www-data. It seems that an executable spawned by php_exec() would also only have access to files and directories that are owned by www-data. I could perhaps make /var/www/UploadDir/ writeable to anyone but this may be a security issue.

Thanks,
Peter.

The username www-data can ONLY appear on a file (or process) if a www-data acct exists.
In actual fact, all files/processes are owned by numeric uids/gids and you only see eg www-data because 'ls' & 'ps' to name a few, call the getent fn in the background.
Its the same principle as DNS ie ip vs name.

1 members found this post helpful.

Www-data is probably a group that has read/write group access to the data that the www system user can access. If that is so, add users to this group. Exanine the ls -l listings of the directories used. Also look at ACLs for finer control, adding additional users or groups with access to a more linited set of directories.

1 members found this post helpful.

What I used for automatic backups for my DHCP servers. It could be modified for your use. This is a write up that I did for a few guys here at work.

First check if ssh/scp port is open(only needed if you’re at the machine locally)

[Local host]$ netstat –l | grep ssh (could also use netstat –a |grep ssh) (lists all active ssh sessions)
[Local host]$ ~]# netstat -l | grep ssh
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN

Once the port is confirmed open, you will need to generate either an RSA or DSA key pair. The “-t” denotes the type of key being generated.

[Local host]$ ssh-keygen –t rsa (could also be ssh-keygen –t dsa)

This will prompt you for the dir you want to save it to. Just use the default dir, which is /root/.ssh/
This will also prompt you for a passphrase to use…simply hit enter to leave it blank. When asked to confirm password hit enter again.
This will create two different keys: id_rsa and id_rsa.pub

Once the files are created you will need to cat the contents of the key into /root/.ssh/authorized_keys. If this file does not exist you will need to create it using the touch command.

[Local host]$ touch authorized_keys

The private key(id_rsa) contents will need to be transferred to the “authorized_keys” file on the local machine.
[Local host]$ cat id_rsa >> authorized_keys

This will take the contents of the key and paste it into the file. (Confirm by using “cat /root/.ssh/authorized_keys”)

You will now need to transfer the public key (id_rsa.pub) to the remote machine that you will be backing up the information to.
[Local host]$ scp /root/.ssh/id_rsa.pub root@192.168.51.XXX:/root/.ssh

Once the file transfer is complete you will need copy the contents of the key into “authorized_keys” using “cat id_rsa.pub >> authorized_keys” And again if this file does not exist use “touch authorized_keys” to create it.

Test these newly created keys by starting an ssh session from the local machine to the remote machine using for example “ssh 192.168.51.218” It should login you in using the keys and without being prompt for a password.

Once you have all of that done you will need to create a cron job to run your daily, hourly, month…etc transfer or backup of the data.

This cron job can be created in one of two ways…you can set it up so the local machine uploads the data to the remote machine or you can set it up to where the remote machine pulls it down from the local machine. Either way is fine and you can build the cron on either machine…purely preference. The example I am giving below is building the cronjob on the local machine and uploading the files to be backed up to the remote machine. Again this could be done in reverse essentially but this is the way I chose to do it.

One other thing to note is that there are a few different ways to enable a cron job. You could place the cronjob in “cronjob.daily” to make it run everyday or maybe create a “cronjob.monthly” to make it run once a month. I will be using cronjob editor (crontab –e) because I require my cron to run multiple times a day and at specific hours of the day.

First, check and see if there are currently any cronjobs that are already built into the server. This is done with the following…
[Local host]$ crontab –l

This will list all the cronjob’s in the server currently.
To create a new cron that will run at specific times multiple times per day you will need to use the command
[Local host]$ crontab –e

This will open a VI editor window that will allow you to create the new cron job.

The cron that I am using is utilizing “scp” or secure copy.
00 0,12 * * * scp /var/lib/dhcpd/dhcpd.leases root@192.168.51.218:/var/lib/dhcpd

Once this line has been added you will need to write the file and you’re done.

So how that cron job reads is that it starts at the top of the hour”00” it runs at 12am and 12pm “0,12” the first “*” is the day of the week, the second “*” is the month of the year, the last “*” is the week of the month. So “* * *” would indicate that this cron will run every day, of every month, and every day of every month

These values can be supplemented for numbers representing corresponding days, weeks and months. Days being “0-7” months being “1-12” and every day of every month being “1-31”. This can also be broke down as far as hours, minutes and seconds.

1 members found this post helpful.

I wanted to delete this message but can find no option for that. Edit says that it is supposed to but it apparently does not.

The problem is that it is my login that has the privileges to scp from the web server to the application server, due the process outlined in my first post. I can't figure out how to give that privilege to www-data.

Thanks,
Peter.

My main problem is that when I try to do

I get asked for a password. I have read that www-data has no password set by default. So it is impossible to log into www-data as a user (which makes sense). But if I just hot return, when asked for the password, I get an authentification error.

Thanks,
Peter.

I tried the steps that you outlined and then ran the following php code from my browser.

The browser returned the following

But no files were copied. However, when I entered

in the terminal window, the files were copied just fine. It seems that www-data still does not have copy privilege.

Thanks,
Peter.