public_html folder permissions preventing use of system()

[Aaron Whiffin]

OKay - I'm running a PHP script which needs to use the system() command for
various operations (copy, mkdir, tar, rm etc).



It's not working in all circumstances:



All folders in my public_html folder are created by me with a CHMOD
permission of 755 (user = rwx / group = rx / all = rx) normal users could
therefore not write to the folder. This means not making directories, not
deleting files etc .



One folder that I tested had permissions 777 (user = rwx / group = rwx / all
= rwx) so everyone could write to the folder.



My script(s) only work if the folder has permissions 777.



But this is not good for security as it means any user of your system can
edit the files.



Unfortunately the PHP scripts seem to be run as a web user and not as me so
they cannot modify my files with 755 permissions. Hence why it works with
777.



Is there anyway that I can instruct PHP to run as me so that I can change my
permissions back to 755?



I'm assuming this is a common issue - how do most people get around it?



Any ideas?



Cheers

[Martin Cooper]

"Aaron Whiffin" <aaron@nospam.com> wrote in message
news:lmd9d.413$_b2.115@newsfe6-gui.ntli.net...

> OKay - I'm running a PHP script which needs to use the system() command
> for
> various operations (copy, mkdir, tar, rm etc).
>
> It's not working in all circumstances:
>
> All folders in my public_html folder are created by me with a CHMOD
> permission of 755 (user = rwx / group = rx / all = rx) normal users could
> therefore not write to the folder. This means not making directories, not
> deleting files etc .
>
> One folder that I tested had permissions 777 (user = rwx / group = rwx /
> all
> = rwx) so everyone could write to the folder.
>
> My script(s) only work if the folder has permissions 777.
>
> But this is not good for security as it means any user of your system can
> edit the files.
>
> Unfortunately the PHP scripts seem to be run as a web user and not as me
> so
> they cannot modify my files with 755 permissions. Hence why it works with
> 777.
>
> Is there anyway that I can instruct PHP to run as me so that I can change
> my
> permissions back to 755?
>
> I'm assuming this is a common issue - how do most people get around it?
>

Hi Aaron,
you have two options :-

1) Use php with the apache suexec functionality
This will mean that php will be ru from the php binary rather than the
apache module. I've never used this, as the load on the webserver would be
higher if you have a lot of people using the server. See
[url]http://www.debianhowto.de/howtos/en/php_cgi/[/url] for more information. With
this method, your directories and files could be set to 755, 644 etc.

2) Add your userid to the apache group
Typically, the apache server will be in group apache or nobody. With this
method, you just add your userid to the appropriate group in /etc/group.
You would then have to set your files and folders to 775, 664 etc. This is
the most common way to resolve your problem, but bear in mind that anyone
else on the server who is also in the apache group will be able to write to
your directories.

Hope that helps,

Martin

[Aaron Whiffin]

Cheers Martin

> 1) Use php with the apache suexec functionality

I'll look into this one now thanks

> 2) Add your userid to the apache group

ISP wont/cant do that


Here is an update from solutions that other people have given ....



I can use system() commands, but to do this I need to be able to have 777
permissions on a folder as Apache is run as a completely seperate user. This
is obviously bad as people will be able to modify the contents of the
folder.

In all (but one) cases I can use PHP commands like mrdir() and unlink() -
that's fine, BUT they do not have permission to run either and they require
the permissions to be 777, so I am no better off.

So I tried using chmod() before (and after) each command, that does not have
permission to run.

So if I can't change permission in PHP I can't see a way around it. I don't
want to have to set folders to 777!

My ISP ([url]www.dataflame.co.uk[/url]) seems helpful, but in this instance can't do
much.

Can anyone please think of a way around this, or something that I can email
dataflame's support team and ask them to change.

This MUST be a common problem. Would there be any reason chmod() isn't
working?

The error message given is:

Warning: chmod(): Operation not permitted in
/home/username/public_html/test.php

One further thing that may give an indication of their setup. If I set
folder permissions to 777, and create a folder in this one using PHP, this
subfolder can then not be deleted by my FTP. I'm assuming this is because it
is owned by Apache not me. I can of course delete the subfolder with PHP ...
and change its permissions.

Now this made me think, perhaps I could chown() my folders to Apache, so I
can have 777 permissions. This means I (and anyone else) could update files
from PHP, but not from their usual account. Slightly safer, but still not
good. Plus of course I will not be able to delete folders etc via FTP.

But I may be thinking on the right steps.

So ... I created a folder by PHP, then chmod() to 755. It worked (permissins
had a T after them in FlashFXP (d-w-rwxr-T)- whatever that means) ... but
now I can't delete this using PHP commands, system() commands within PHP or
by FTP! I can't even use system() and chown to change ownership to my FTP
account.

Now to make things slightly harder, as well as needing to
read/write/delete/modify files/folders in seperate folders which I *may* be
able to solve using some method. I also need to be able to create folders in
my public_html folder so people can go to [url]www.mysite.com/subsite/[/url]

I know this is a mess, but I am sure it's common, so can someone please
help?

Cheers

[Aaron Whiffin]

>> 1) Use php with the apache suexec functionality

>
> I'll look into this one now thanks

No way my ISP would do that .....

Bugger