Any Unix admin around? (chown(), chgrp() & chmod() from a php script)

I am running a dedicated server (managed) Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.7, a client wants to move his ftp application (php scripts) over from the server it runs on to mine (he already has a site on my personal server and likes the speed from the data centre which he hasn’t got where the ftp site is at the moment) so to make sure the ftp image site works (which it should and does, well nearly) I moved an ftp application over to check it all goes well… the only problem I have is that one of the php scripts use the following 3 lines:

// code, code.....

chown($path_la, "apache");
chgrp($path_la, "apache");
chmod($path_la, 0777);

// code, code...

what happens is the guy would create an account ‘and directory for that account’ from the ftp admin page, upload the image folders and images to the directory that he created using the ftp admin page and then presses a ‘Generate’ button that runs the script that changes the ownership of the uploaded folders and their images (along with a few other things)… on my server these all throw errors… because the php script cannot run these commands. I tried changing the scripts user and group to root, apache and nobody but no joy…

From what I can see the reason these commands need to be run is because when the client uploads the folder and files with Filezilla the various folders and images end up with an ownership id of 99 (99 is ‘nobody’ in the /etc/groups file), when the images are loaded on the preview page they cannot be seen while the owner and group is ‘nobody’.
BTW, when I uploaded the site, files, folders and their images with Interarchy these all ended up with the owner and group as the account ‘user’, this seems fine… when the images are previewed I can see them, seems to be when the client uploads the owner and group are set to ‘nobody’.

I seem to be having problems understanding what I need to do here so the script can run these three commands, unix servers are not something I know much about and anything I have found doesn’t actually explain how to set things up so these commands can be run although I know why they cannot be run, it’s understanding what changes I need to make to the server account to allow these commands to be run is what is tripping me up. I can chown and chmod from a command line but of course this needs to be done from the script that is run when the user presses the ‘Generate’ button on the admin page after he image folders and images have been uploaded.

If someone understands what needs to be done here I would love them to jump in and point me to what I need to do on the server to get this script with these commands to run.

Thanks

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

If the files in question are owned by the user that the web server runs as, then chown and related commands will succeed. Otherwise, unless you can make a “trampoline” script to temporarily elevate privileges, you are going to be frustrated. Some of the servers I use run the web server in a setuid jail, so it runs as my user, and that makes everything easy. Other servers, including my own Mac OS X Server machines, run Apache as a separate user. So there I just make the user www own the files, and that fixes everything.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I read a bit about setuid and it seems complicated to set up just to run a script ‘unless I am mistaken’ so the final option may be the way to go… just to make sure I understand:

When you say ‘run apache as a separate user’ do you mean make sure apache is a user? apache does already exist as a user in /etc/passwords

When you say ‘make the user www own the files’, the user www does not exist on this server, does that mean I need to create it or does it mean the server is using another user name to do the tasks www would do? If I need to create www as a user is there any special id it needs to be given or doesn’t it matter?

Thanks Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On May 5, 2009, at 3:41 AM, Mike B wrote:

I read a bit about setuid and it seems complicated to set up just to
run a script ‘unless I am mistaken’ so the final option may be the
way to go… just to make sure I understand:

When you say ‘run apache as a separate user’ do you mean make sure
apache is a user? apache does already exist as a user in /etc/
passwords

If the user apache is used to run the “worker threads” of the Apache
server, then you should use that user. What I mean here is whichever
user is running Apache (which might appear as httpd in the process
listing – that’s its formal name) then that’s the user you should
use. Generally speaking, the owner of a file and the root user may use
chown/chgrp/chmod on a file, but I couldn’t use it on your files.

Try this command in a shell on the server:

ps aux | grep httpd | grep -v grep

and you should see a listing of the httpd (Apache) processes running
at the moment. (By the way, those upright lines in the command are the
Pipe symbol, found above the backslash on a US keyboard, not a capital
i or lower-case L.) There are at minimum 3 httpd processes running at
any time, and may be lots on a busy server. One will be owned by root,
the others will be owned by the user Apache runs as.

When you say ‘make the user www own the files’, the user www does
not exist on this server, does that mean I need to create it or does
it mean the server is using another user name to do the tasks www
would do? If I need to create www as a user is there any special id
it needs to be given or doesn’t it matter?

I was using the user www as an example – that’s the standard user in
Mac OS X Server – but as noted above, each server can be configured
as the admin desires.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

If the user apache is used to run the “worker threads” of the Apache
server, then you should use that user. What I mean here is whichever
user is running Apache (which might appear as httpd in the process
listing – that’s its formal name) then that’s the user you should
use. Generally speaking, the owner of a file and the root user may use
chown/chgrp/chmod on a file, but I couldn’t use it on your files.

Try this command in a shell on the server:

ps aux | grep httpd | grep -v grep

and you should see a listing of the httpd (Apache) processes running
at the moment. One will be owned by root,
the others will be owned by the user Apache runs as.

Right, the first is root and all the rest are nobody, so I did a chown to change the scripts owner and group to nobody but still get the errors when the ‘Generate’ button is pressed from the web admin page… am I missing the point?

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

The script’s owner isn’t the issue, it’s the folder where the files it generates go that needs changing. What sort of files are being created by it?

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Also, is this script creating the files it is trying to change?

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

There is a directory that is located in the public directory ‘imgportal’, within that directory there is the directory ‘jobdata’, the web ftp admin page creates a directory within the ‘jobdata’ directory (for a new job) then the user uploads folders and images to the folder the web admin page creates within ‘jobdata’. The script the web admin page runs has no problem creating this new directory for a new job.

public_html | libfiles (the php script with chown(), chgrp() and chmod() is here)

public_html | imgportal | jobdata (the folders and images are uploaded to this folder)

The ‘imgportal’ directory is permanent, the contents of it is what will change, i.e. new uploaded image files and folders, ownership and permission changes.

The script does not create folders or files, just tries to change the folders and image files within the ‘jobdata’ directory.

Tx

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Generally speaking, if the script creates the folder and moves the
uploaded files into it, then it “owns” the folder and files already.
The only trick to this will be that the folder where the new project
folder is being created also has to be owned by the script (which is
to say, Apache).

I usually have the opposite problem to what you describe here – if
the server moves an uploaded file into a particular directory, I will
often find that I don’t have enough privileges to move or remove it
later via FTP or SFTP. I have never had a problem with the server
being able to access or modify files that it has put somewhere
successfully.

Now where all of this may be going off the rails is if this user
“nobody” that Apache runs as does not have enough privileges to run
chown or chgrp. In a tightly-controlled server, that very well may be
the case.

But another angle to look at is if the file is in fact where you are
looking for it. Make sure you are using a complete root-relative path
to the file each time you try to modify it, that you aren’t trying to
rely on any notion of “you are here”. Each aliased command you run
(the PHP commands chown() and chgrp() are simply wrappers around the
same-name Unix utilities) will have a fresh environment, and will not
“remember” where you were when you issued the last command.

Walter

On May 6, 2009, at 3:37 AM, Mike B wrote:

There is a directory that is located in the public directory
‘imgportal’, within that directory there is the directory ‘jobdata’,
the web ftp admin page creates a directory within the ‘jobdata’
directory (for a new job) then the user uploads folders and images
to the folder the web admin page creates within ‘jobdata’. The
script the web admin page runs has no problem creating this new
directory for a new job.

public_html | libfiles (the php script with chown(), chgrp() and
chmod() is here)

public_html | imgportal | jobdata (the folders and images are
uploaded to this folder)

The ‘imgportal’ directory is permanent, the contents of it is what
will change, i.e. new uploaded image files and folders, ownership
and permission changes.

The script does not create folders or files, just tries to change
the folders and image files within the ‘jobdata’ directory.

Tx

---

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Walter,

Sorry I have not got round to following this up before but I have been having a hell of a time ‘or lack of it’ of late, finally got round to looking at things again this weekend.

I felt I was flogging a dead dog on this but finally I delved into the scripts * in depth * over the weekend and discovered that the thumbs that where being created where being created using a shell command… I should have clicked on this ‘trying to do too much I guess :-)’, I just couldn’t understand why one of the scripts was having problems with chmod() when I never had a problem before with any of times I have used it myself. I also got to thinking as to why the chgrp() function was called when again, I never needed to use this myself to view the thumbs created from any scripts I had written… well finding the shell command and it hit me like a brick… anyway, I soulved the problem by over riding the shell_exec() and replacing that with a function to create the thumbs using the GD2 library and it all worked as it should, only downfall is that if there are a lot of thumbs to be created it takes a couple of seconds longer with the GD library than it would with a shell_exec() but that is not a problem.

Thanks for your help on this and as I say, sorry I didn’t get to this before.

Mike

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options