[SOLVED] (Permissions?) Problem with gphoto2 and php.

cupofnestor · 11-16-2010, 08:33 AM

I recently discovered gphoto2 as an alternative to commercial PTP/Camera Control software. I'm tasked with designing a photo-booth kiosk for several museums. My intention is to front-end the thing with an adobe air gui. The gui will call scripts to operate the camera through gphoto2, and since the endpoint of the photos is an emailed message, I thought mysql/php would be appropriate.

The problem is this: gphoto2 cannot run correctly from a php script. I immediately realized the need to allow the www-data user access to the usb camera, and so I added www-user to the plugdev group.

As it stands, I can run gphoto2 like so:

Code:

sudo su www-data -c 'gphoto2 --capture-image'

even:

Code:

$sudo su www-data
$php -r 'echo exec("gphoto2 --capture-image");'

The above php will NOT work when run from a browser. I get a standard error message when I do so.

Code:

For debugging messages, please use the --debug option. Debugging messages may help finding a solution to your problem. If you intend to send any error or debug messages to the gphoto developer mailing list , please run gphoto2 as follows: env LANG=C gphoto2 --debug --debug-logfile=my-logfile.txt --debug --debug-logfile=/var/log/gp-logfile.txt --capture-image-and-download Please make sure there is sufficient quoting around the arguments.

Any suggestions?

Code:

Ubuntu 9.10

Server version: Apache/2.2.12 (Ubuntu)

PHP 5.2.10-2ubuntu6.5 with Suhosin-Patch 0.9.7 (cli) (built: Sep 16 2010 20:04:48) '

stress_junkie · 11-16-2010, 09:16 AM

Since it works under the www-data account I'd be tempted to just create a bash script that calls gphoto2 --capture-image, place the script in the www-data directory and suid it to www-data.

cupofnestor · 11-16-2010, 09:32 AM

Not QUITE sure what you meant, but I did make a bash script. chown'd it to root:root and chmod'd it to 4755. The way I see it, it should be executable with root permissions by www-data. When I run the script as before with php-r, it works. Still will not work in a browser though.... could it be a timeout problem?

Quote:

Originally Posted by stress_junkie

Since it works under the www-data account I'd be tempted to just create a bash script that calls gphoto2 --capture-image, place the script in the www-data directory and suid it to www-data.

stress_junkie · 11-16-2010, 10:42 AM

Quote:

Originally Posted by cupofnestor

Not QUITE sure what you meant, but I did make a bash script. chown'd it to root:root and chmod'd it to 4755. The way I see it, it should be executable with root permissions by www-data. When I run the script as before with php-r, it works. Still will not work in a browser though.... could it be a timeout problem?

I you are running it as root then the files it creates will be owned by root. If you run it as www-data then the files that it creates will be owned by www-data.

Check for www server errors on the server. Then check file ownership and permissions on the data files.

cupofnestor · 11-17-2010, 08:26 AM

Quote:

Originally Posted by stress_junkie

Since it works under the www-data account I'd be tempted to just create a bash script /.../ suid it to www-data.

After looking around a bit, it seem sthat suid only works on binaries in linux.

GrapefruiTgirl · 11-17-2010, 08:35 AM

Quote:

Originally Posted by cupofnestor

After looking around a bit, it seem sthat suid only works on binaries in linux.

That is correct.

Also, if I remember correctly from my own experiences using gtkam and/or gphoto2 with my camera(s) here, is that the camera program itself must be suid-root in order to access the hardware (the camera). If it isn't already, perhaps try that (though I have no idea what sort of security implications this imposes on your kiosk arrangement).

cupofnestor · 11-17-2010, 09:00 AM

Quote:

Originally Posted by GrapefruiTgirl

That is correct.

Also, if I remember correctly from my own experiences using gtkam and/or gphoto2 with my camera(s) here, is that the camera program itself must be suid-root in order to access the hardware (the camera). If it isn't already, perhaps try that (though I have no idea what sort of security implications this imposes on your kiosk arrangement).

**EDITED**

chmod +s /usr/bin/gphoto2 fixed the php problem! Thanks, Grape!

Now, I just have to figure out how to make the files which gphoto2 creates accessible by www-data. As it is now, they are root:root.

Well, permissions seem to only be a part of the problem. As you can see in my initial podt, I can run gphoto from the shell as www-data, even with commandline php. I think the problem has to do eith the apache/php config, it is as if php is not 'waiting' for the process to complete or something.??

cupofnestor · 11-17-2010, 12:58 PM

Quote:

Originally Posted by cupofnestor

**EDITED**

Now, I just have to figure out how to make the files which gphoto2 creates accessible by www-data. As it is now, they are root:root.

So, for future generations, here is the solution:

gphoto2 permissions should be as follows:
-rwsr-sr-x 1 root root

Since gphoto is root:root, any files it creates are as well. I soved this by creating a bas script which chowns the files to www-data:www-data. Then, I added a line via visudo:
%www-data ALL=NOPASSWD: /var/www/photo/changeOwner.sh

and executed this script from php: exec('sudo ./changeOwner.sh myfile.jpg').

This still leaves a security hole with www-data being able to execute the script as a superuser, but that should be remedied by removing read and write privileges.

chrism01 · 11-18-2010, 11:33 PM

Thought I'd just point out that

Code:

sudo su www-data

logs you in as www-data user BUT with your orig environment settings.
To get the real www-data env you need

Code:

sudo su - www-data

cupofnestor · 11-21-2010, 05:01 PM

Quote:

Originally Posted by chrism01

Thought I'd just point out that

Code:

sudo su www-data

logs you in as www-data user BUT with your orig environment settings.
To get the real www-data env you need

Code:

sudo su - www-data

Cool, thanks. By "settings" are you suffering to the shell settings?