Changing file permissions through a PHP script

Re: Changing file permissions through a PHP script

LRW wrote:[color=blue]
> Sorry to crosspost, but I have no idea if this is more a PHP question
> of general Linux question.
>
> I have a script that makes changes to image files, montages them into
> a jpg, and creates a Web page with that image.
> It starts with someone from our graphics dept. who I set up to copy
> the image files over to the Linux server with SAMBA.
>
> The files gain the owner/group of "nobody" and permissions of 744.
>
> Then a PHP script runs all the processes, obviously under the user
> "apache".
>
> Now, even though I have the folder on the server that the files get
> copied into within /var/www/html the script doesn't have write
> permission to alter those files (whether with mogrify or convert, but
> that doesn't matter.)
>
> I added a line where it calls a bash shell script to change
> permissions, change ownership, other things, and of course apache
> doesn't seem to have the right to run chown or chmod on the files with
> "(744) nobody nobody" in a folder with "(777) apache apache".
>
> Any suggestions what I might do? I'm at a complete loss![/color]

You can't chown or chmod files you don't own (unless you're root) for
obvious security reasons. The process doing the chown either needs to
run as "nobody" (the current owner) or "root", so it cannot be done by a
script running as the "apache" user.

Ideally, the permissions on the Samba share would allow access by the
"apache" user. Or you could run a script from cron (as "nobody" or
root) to check for appropriate files and chown them before calling the
script.

(This is addressing the Linux side of the issue and is the same
regardless of what language the script is written in. PHP may offer
some additional features providing another method for dealing with the
situation.)

Re: Changing file permissions through a PHP script

On 2004-07-02, LRW wrote:[color=blue]
> Sorry to crosspost, but I have no idea if this is more a PHP question
> of general Linux question.
>
> I have a script that makes changes to image files, montages them into
> a jpg, and creates a Web page with that image.
> It starts with someone from our graphics dept. who I set up to copy
> the image files over to the Linux server with SAMBA.
>
> The files gain the owner/group of "nobody" and permissions of 744.
>
> Then a PHP script runs all the processes, obviously under the user
> "apache".
>
> Now, even though I have the folder on the server that the files get
> copied into within /var/www/html the script doesn't have write
> permission to alter those files (whether with mogrify or convert, but
> that doesn't matter.)
>
> I added a line where it calls a bash shell script to change
> permissions, change ownership, other things, and of course apache
> doesn't seem to have the right to run chown or chmod on the files with
> "(744) nobody nobody" in a folder with "(777) apache apache".
>
> Any suggestions what I might do? I'm at a complete loss![/color]

Only root can chown a file, and only root or the owner can chmod
one.

Use sudo to allow apache to run a script that makes the changes.

--
Chris F.A. Johnson http://cfaj.freeshell.org/shell
=============== =============== =============== =============== =======
My code (if any) in this post is copyright 2004, Chris F.A. Johnson
and may be copied under the terms of the GNU General Public License

Re: Changing file permissions through a PHP script

LRW wrote:[color=blue]
> Sorry to crosspost, but I have no idea if this is more a PHP[/color]
question[color=blue]
> of general Linux question.
>
> I have a script that makes changes to image files, montages them[/color]
into[color=blue]
> a jpg, and creates a Web page with that image.
> It starts with someone from our graphics dept. who I set up to copy
> the image files over to the Linux server with SAMBA.
>
> The files gain the owner/group of "nobody" and permissions of[/color]
744.[color=blue]
>
> Then a PHP script runs all the processes, obviously under the user
> "apache".
>
> Now, even though I have the folder on the server that the files get
> copied into within /var/www/html the script doesn’t have write
> permission to alter those files (whether with mogrify or convert,[/color]
but[color=blue]
> that doesn’t matter.)
>
> I added a line where it calls a bash shell script to change
> permissions, change ownership, other things, and of course apache
> doesn’t seem to have the right to run chown or chmod on the files[/color]
with[color=blue]
> "(744) nobody nobody" in a folder with "(777) apache apache".
>
> Any suggestions what I might do? I’m at a complete loss!
> Thanks!
> Liam[/color]
You can run php either under apache as a web page, or from the command
line. What you are doing seems like it is a batch job, and it is more
reliably run from the command line. In that case, you can simply run
it from root.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-Changing...ict125760.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=419213

Re: Changing file permissions through a PHP script

"Chris F.A. Johnson" <cfajohnson@gma il.com> wrote in message news:<2klmmsF3q taaU6@uni-berlin.de>...[color=blue]
>
> Only root can chown a file, and only root or the owner can chmod
> one.
>
> Use sudo to allow apache to run a script that makes the changes.[/color]

Thanks for the replies, all.
Now, I can't figure out how to automatically run the shell script as
anything other than apache, since it's a PHP script that's starting
the shell script.

In the script I use:
sudo -u nobody /usr/bin/mogrify (etc)
but that then gives me "password" errors (if I view the output.)
Obviously sudo needs a password to be given automatically, but even if
I knew what the password for "nobody" was, how would you automatically
pass it through a sudo in a shell script? (I suppose I could use root
if I could figure that out.)

I checked the sudo man, and I see where you can provide -p switches
using percentile-letters. But, those look like ways to change the
password prompt or requirements, not any way to pass it a password.

Someone suggested adding apache as having rights to the samba share. I
added this to smb.conf:
[shipthumbs]
comment = ShipThumbs
path = /var/www/html/pa-thumbs/shipthumbs
public = yes
valid users = sarah apache nobody
writeable = yes
guest ok = yes

What more do I need to do to give apache user rights? As you can see,
the share is also sitting in the middle of the web server's home
folder, and the owner and group owner for the folder is apache. It's
just that whenever "sarah" copies files INTO the folder, they get an
owner tag of nobody and permissions of 744 automatically.

Thanks for any help!
Liam

Re: Changing file permissions through a PHP script

LRW wrote:[color=blue]
>
> In the script I use:
> sudo -u nobody /usr/bin/mogrify (etc)
> but that then gives me "password" errors (if I view the output.)
> Obviously sudo needs a password to be given automatically, but even if
> I knew what the password for "nobody" was, how would you automatically
> pass it through a sudo in a shell script?[/color]

Check your /etc/sudoers file. It's possible that it disallows "nobody"
from using sudo at all. More importantly though, it can be configured
to allow "nobody" to use sudo *without* a password. See man 5
/etc/sudoers for more information.

Warning: think long and hard about the security considerations of
giving permission to "nobody" to use sudo without a password. You'll
almost certainly also want to restrict which commands it is allowd to
use in that mode.

Re: Changing file permissions through a PHP script

John-Paul Stewart <jpstewart@bina ryfoundry.ca> wrote in message news:<17hecc.3r p.ln@mail.binar yfoundry.ca>...[color=blue]
> LRW wrote:[color=green]
> >
> > In the script I use:
> > sudo -u nobody /usr/bin/mogrify (etc)
> > but that then gives me "password" errors (if I view the output.)
> > Obviously sudo needs a password to be given automatically, but even if
> > I knew what the password for "nobody" was, how would you automatically
> > pass it through a sudo in a shell script?[/color]
>
> Check your /etc/sudoers file. It's possible that it disallows "nobody"
> from using sudo at all. More importantly though, it can be configured
> to allow "nobody" to use sudo *without* a password. See man 5
> /etc/sudoers for more information.
>
> Warning: think long and hard about the security considerations of
> giving permission to "nobody" to use sudo without a password. You'll
> almost certainly also want to restrict which commands it is allowd to
> use in that mode.[/color]


WOW! That's fantastic! So, I've always just "man foo" to see the
manual for a command...how does one know that there's other man files
that you can access by putting a number after the "man"? "man 5
sudoers" has some great info that completely solves my problem, and
helps me with the security concerns you mentioned.

Thanks for the reply!
Liam

Re: Changing file permissions through a PHP script

[Note follow-ups set to c.o.l.misc since this no longer has anything to
do with PHP.]

LRW wrote:[color=blue]
>
> WOW! That's fantastic! So, I've always just "man foo" to see the
> manual for a command...how does one know that there's other man files
> that you can access by putting a number after the "man"?[/color]

'man sudo' says at the bottom of the page "See also...sudoers( 5)". The
number in parentheses is the section number that you can pass to the
'man' command. Also, 'apropos sudo' will give you a list of relevant
pages and their section numbers.

The 'man 5 sudoers' command doesn't really need the '5', since the only
manpage named 'sudoers' is in section 5. A better example might be 'man
passwd', which will give you the section 1 info for the passwd command
by default. (Equivalent to 'man 1 passwd'.) 'man 5 passwd' will give
you the passwd page from section 5, where you'll find documentation on
the /etc/passwd file format. If you want to see all of the pages from
all sections for passwd, 'man -a passwd' will cycle you through them
all. (When you close one, the next will be displayed.)

'man man' gives you a list of what each section contains.