Error message with simple php command

matrixx

matrixx

Verified User
Joined
May 24, 2004
Messages
314
Location
London, UK
Hi I get the following error when running a script that renames a file that has been uploaded. I've checked permissions on the folders and files etc and all are ok, I'm wondering if it is the permission level allocated to Apache?
Heres the code:
PHP: 
$old_file = "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/".$f_new;

$new_file = "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/".$id."/".$fname;

if (file_exists($old_file)){
rename ($old_file,$new_file);
}

Heres the error:

Warning: rename(/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/NewStories(HighwayBlues).wma,/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/CC008895BE/M8FEF03EE.wma): Permission denied in /home/mikeohara/domains/carrotcottage.com/public_html/login/project.php on line 70

Has anyone come across this / offer any suggestions?

Cheers,

Rob
 
Last edited:
matrixx said:
Hi I get the following error when running a script that renames a file that has been uploaded. I've checked permissions on the folders and files etc and all are ok, I'm wondering if it is the permission level allocated to Apache?
Heres the code:
PHP: 
$old_file = "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/".$f_new;

$new_file = "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/".$id."/".$fname;

if (file_exists($old_file)){
rename ($old_file,$new_file);
}

Heres the error:

Warning: rename(/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/NewStories(HighwayBlues).wma,/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/CC008895BE/M8FEF03EE.wma): Permission denied in /home/mikeohara/domains/carrotcottage.com/public_html/login/project.php on line 70

Has anyone come across this / offer any suggestions?

Cheers,

Rob
Click to expand...

Thats easy read your error "Permission denied"

Thats means that the path that you will change or the file don't have the requisted rights.

Just use your directadmin to change the permissions in the file manager or use the php version chmod

If you need some help you can always mail us
 
Hi,

Unfortunately it's NOT a permissions thing within DA - I temporarily changed the permissions to 777 for the whole folder and scripts and it made no difference.

I *think* it is something to do with the level of permissions granted to apache (who is the user of the script) and for some reason apache does not have permissions to run the scripts - is there anywhere else that would define the permissions for apache apart from the file permissions?

BTW - chmod gives a similar error too.

Cheers,

Rob
 
What do mean by "chmod gives a similar error"?

It's definitely a permission problem... Unless you're running PHP as a cgi, the script will be executed as the apache user. So, if the apache user has read permission on "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/NewStories(HighwayBlues).wma" and write permission to the directory "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/CC008895BE" this shouldn't fail.
 
ballyn said:
So, if the apache user has read permission on "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/NewStories(HighwayBlues).wma" and write permission to the directory "/home/mikeohara/domains/carrotcottage.com/public_html/mfiles/CC008895BE" this shouldn't fail.
Click to expand...

I know it shouldn't fail <smile> but it does!

Just incase I had done something stupid while tired I just changed all permissions to 777 and tried again but got the same error.

Thanks Ballyn,

Rob
 
Last edited:
Hello,

Paste us the output from "ls -la" on that directory so we can see the permissions on everything. (make sure that . is included so we can see the permissions on the mfiles folder).

John
 
A client of ours is having similar problems with getting exec() to work, and we're wondering if DA is properly managing safe_mode.

I've asked our client to have his programmer send me the nonworking code examples so I can post them...

But...

In the meantime, does anyone know if I can run a specific PHP command to see if safe_mode is turned on or not?

Thanks.

Jeff
 
I think I may be on to the problem... at least our version of it, though I'd bet that Rob's problem has it's root in the same issues as well:

Here's some code that doesn't work on our client's server:
Code: 
<?php
 exec('ln -s images/arrows.gif .')
?>
But it doesn't work with safe_mode turned off in DA. Which it should.

And though I'm not really a PHP programmer I think this may be why:
Code: 
[root@bes public_html]# ls -ald
drwxr-xr-x   29 kelli    kelli        4096 Sep 23 20:48 .
[root@bes public_html]# ls -ald images
drwxr-xr-x    3 kelli    kelli        4096 Sep 10 19:05 images
[root@bes public_html]#
I don't think user apache (doesn't php run as apache?) has the rights to do the link.

John, is this the new default permission & rights set for DA created sites? Doesn't it cause problems?

Anyone?

Thanks.

Jeff
 
Jeff,

Correct, apache doesn't have the rights to that dir. Test it out by doing "chmod apache:apache public_html" (as root) so that the public_html directory is owned by apache, so apache can create the link (just for testing purposes to confirm that apache requires write privileges). Also, you could try using the full path for /bin/ln, just to rule it out.

The default setting of username:username 755 is normal. Even with the old username:apache 750, the apache user still doesn't have any write privileges.. it would need 770 (apache group write).

In the current state, username:username 777 on public_html should also work.

John
 
Thanks John...

Code: 
[root@srv01 public_html]# ls -la mfiles
total 105104
drwxr-xr-x  107 mikeohara mikeohara     4096 Sep 22 14:26 .
drwxr-xr-x   14 mikeohara mikeohara     4096 Sep 23 12:19 ..
-rw-r--r--    1 mikeohara mikeohara  4104027 Dec 24  2004 01-i`mforyoutonight(radioedit).mp3
-rw-r--r--    1 mikeohara mikeohara 96528599 Sep 21 21:50 24bitMixdownAcidRebirth.rar
drwxrwxrwx    2 mikeohara mikeohara     4096 Mar  8  2005 CC008895BE
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov  8  2004 CC0120753F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  1 11:21 CC02068FC0
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 11  2004 CC0322710F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep 11 17:51 CC0AC0EA70
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr 26 20:04 CC0B94E210
drwxr-xr-x    2 mikeohara mikeohara     4096 May  8 11:58 CC0BC249FF
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 13  2004 CC0D9A3942
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 11  2004 CC102C3519
drwxr-xr-x    2 apache    apache        4096 Sep 22 14:26 CC10F521BA
drwxr-xr-x    2 mikeohara mikeohara     4096 May 27 16:47 CC126927D0
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 31 13:23 CC12DB4AD3
drwxr-xr-x    2 mikeohara mikeohara     4096 May 18 23:28 CC1771388F
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 25 15:53 CC17BB71C6
drwxr-xr-x    2 mikeohara mikeohara     4096 May 17 14:42 CC194298BC
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 24 21:00 CC1DA77A20
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul 26 04:46 CC2206B6D0
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr  8 19:49 CC221E7F04
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 13  2004 CC2601D4D0
drwxr-xr-x    2 mikeohara mikeohara     4096 Mar 31 14:57 CC286A1230
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 26 12:52 CC28C2E66B
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul  8 05:36 CC2CBA6050
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2D9C0E05
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2DC15FA3
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2DF15F9F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2E33A990
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2E5ECD20
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2EA5CC6F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep 15 12:12 CC2ED15FA8
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2EDB23A6
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2F033460
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2F2AAE94
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep 15 13:02 CC2F2B4AAF
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2F5B71C0
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC2FD900C0
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC301493EF
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC30355740
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  9 10:16 CC3056DDE0
drwxr-xr-x    2 mikeohara mikeohara     4096 Jun 14 12:55 CC30BA605E
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul 26 11:53 CC363CF85F
drwxr-xr-x    2 mikeohara mikeohara     4096 Dec  8  2004 CC388668AF
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 11  2004 CC39699CFF
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 24 21:08 CC3A441EC0
drwxr-xr-x    2 mikeohara mikeohara     4096 Jun 27 13:00 CC3B6D94A5
drwxr-xr-x    2 mikeohara mikeohara     4096 May 13 11:39 CC3D1B4AAF
drwxr-xr-x    2 mikeohara mikeohara     4096 May 17 10:41 CC44F4BAFF
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 18 10:26 CC45FB4AB0
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 17 14:31 CC4AD35B70
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul 24 10:33 CC4B2BE6F0
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 17 17:28 CC590CF860
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr  3 23:14 CC5CA6B6CF
drwxr-xr-x    2 mikeohara mikeohara     4096 Dec  2  2004 CC5EA5CC70
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  4 05:20 CC615D94A0
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov  8  2004 CC68443882
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul 28 10:06 CC69C7EF4F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  1 11:17 CC6AD35B70
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 29  2004 CC768CD14F
drwxr-xr-x    2 mikeohara mikeohara     4096 Feb 21  2005 CC76BD94A0
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:53 CC79D29820
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:53 CC7A1DBBB0
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:53 CC7A735B75
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7B041EBF
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7B47A130
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7BC6B6D1
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7C18B2A0
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7C61D4D3
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov  8  2004 CC7C702720
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7CB68FE8
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7D0EA60F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7D93345F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7DD5302F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:54 CC7E20EA70
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  5 09:55 CC7E624A00
drwxr-xr-x    2 mikeohara mikeohara     4096 May 23 11:05 CC7EC81661
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr 24 18:37 CC941EA610
drwxr-xr-x    2 mikeohara mikeohara     4096 Feb  6  2005 CC9B2CF85F
drwxr-xr-x    2 mikeohara mikeohara     4096 Mar 16  2005 CC9BAD6D9C
drwxr-xr-x    2 mikeohara mikeohara     4096 Mar 31 18:57 CCA07DE2FF
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  2 11:31 CCA1A3D0A1
drwxr-xr-x    2 mikeohara mikeohara     4096 Jun 11 16:58 CCA1C09C4F
drwxr-xr-x    2 mikeohara mikeohara     4096 Dec 24  2004 CCA28CAA4C
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  4 19:47 CCA74EA61B
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr 26 14:14 CCA8AD94A0
drwxr-xr-x    2 mikeohara mikeohara     4096 Mar 21  2005 CCA97A875F
drwxr-xr-x    2 mikeohara mikeohara     4096 Sep  3 17:09 CCAB4753D3
drwxr-xr-x    2 mikeohara mikeohara     4096 May 17 10:40 CCAC77C840
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 11 19:37 CCAD4900C0
drwxr-xr-x    2 mikeohara mikeohara     4096 Dec  8  2004 CCB4D5302F
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 26 11:45 CCB840EA70
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 22 19:38 CCB9435B70
drwxr-xr-x    2 mikeohara mikeohara     4096 Mar  8  2005 CCBC45A560
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr  7 19:28 CCBEA70551
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 17 15:08 CCBF64E210
drwxr-xr-x    2 mikeohara mikeohara     4096 May 17 10:41 CCC69927CF
drwxr-xr-x    2 mikeohara mikeohara     4096 May 14 22:23 CCC6A8165F
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul 19 17:39 CCCAEB71BF
drwxr-xr-x    2 mikeohara mikeohara     4096 Apr 27 18:32 CCCB32BF30
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov  6  2004 CCCF0CF85F
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 17 22:55 CCD2346CE0
drwxr-xr-x    2 mikeohara mikeohara     4096 Aug 17 16:03 CCD5FD467F
drwxr-xr-x    2 mikeohara mikeohara     4096 Dec  3  2004 CCD93E30E5
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul  1 12:52 CCE85E57F1
drwxr-xr-x    2 mikeohara mikeohara     4096 Jul  8 09:03 CCEF0CD165
drwxr-xr-x    2 mikeohara mikeohara     4096 Nov 29  2004 CCF31975F3
drwxr-xr-x    2 mikeohara mikeohara     4096 May 17 10:41 CCFB294EE0
-rw-r--r--    1 mikeohara mikeohara  5652479 Sep 22 09:14 DSW_final2.mp3
-rw-r--r--    1 mikeohara mikeohara      403 Nov  9  2004 index.htm
-rw-r--r--    1 mikeohara mikeohara   765758 Sep 23 16:09 NewStories(HighwayBlues).wma
-rw-r--r--    1 mikeohara mikeohara     6969 Sep 22 11:43 test.txt

Rob
 
DirectAdmin Support said:

In the current state, username:username 777 on public_html should also work.

John
Click to expand...

John I switched the permissions temporarily to rwxrwxrwx (777) on the public_html and it worked!

But is this safe?

Rob
 
matrixx said:
John I switched the permissions temporarily to rwxrwxrwx (777) on the public_html and it worked!

But is this safe?

Rob
Click to expand...

Rob,

I would change the group to apache and set the rights so apache can do everything...

# cd /home/mikeohara/domains/<domain name>
# chown mikeohara:apache public_html
# chmod 770 public_html

This is safer than giving everyone on your server access to the directory.
 
DirectAdmin Support said:
The default setting of username:username 755 is normal. Even with the old username:apache 750, the apache user still doesn't have any write privileges.. it would need 770 (apache group write).

In the current state, username:username 777 on public_html should also work.
Click to expand...
username:username 777 means anyone with a shell account can read/write/change/delete/add to any user's site and anyone in the world who knows how to use php can read/write/change/delete/add to any user's site.

username:apache 770 limits the problem to anyone in the world who knows how to use php.

So which scenario do we like best? I like none of the above.

But the second scenario is better.

I know we've gone back and forth before, and I know none of us like open_basedir.

John, can I give you a hard job:

How about setting up the control panel to use the current defaults (which are quite secure; more secure than those on most control panels) to change the ownership & permissions to username:apache 770 for directories and 660 for files but only for users who turn on open_basedir? And to change it back if/when they turn open_basedir off?

Doable?

Jeff
 
But.. you'd need all other users to have open_basedir in order to make that secure. Forceing the user who has the 770 directories doesn't prevent others from writing. It would only work if all other user were forced to use open_basedir.

The only real solution (currently) is to set:
apache_public_html=1
safemode=ON (optional..)
http://www.directadmin.com/features.php?id=497

-> enable safemode/openbasedir by default.

If a client's scripts don't work, only then would you consider disabling it.

You can link openbasedir to safemode in the templates, eg:
PHP: 
|*if SAFE_MODE="ON"|
     php_admin_value open_basedir |HOME|/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/
     php_admin_flag safe_mode ON
|*else|
    php_admin_flag safe_mode OFF
|*endif|
http://help.directadmin.com/item.php?id=2
John
 
Yeah, since you're doing a rename, you also need write access to the folder containing the thing that you're moving...

I don't have a problem with open_basedir... I don't see any reason not to use it.

Even with open_basedir enabled, though, it's still possible for any user to modify any file/folder that apache has write access to, so I would not vote for apache writable directories by default.
 
resolveit said:
Rob,

I would change the group to apache and set the rights so apache can do everything...

# cd /home/mikeohara/domains/<domain name>
# chown mikeohara:apache public_html
# chmod 770 public_html

This is safer than giving everyone on your server access to the directory.
Click to expand...

Hi Onno,

Apologies for delay in reply - I took a few days off.

This worked perfectly thank you!

Rob
 
Rob,

I'm not reading the entire thread, but just responding with my recent experience.

We had a client whose programmer needed to have safe_mode turned off and rights for apache to modify the public_html directory, so he could create links using the PHP exec() function. He wanted this for a program running on a dedicated server owned by our client. Our client said to go ahead and do it in spite of our reservations.

Within two days of doing it, the server was hacked.

Fortunately there were only two sites for which the public_html directory was overwritable by default, so only two sites were defaced.

We've told the client to not allow it. His programmer came up with another solution.

Be very careful.

Jeff
 
You must log in or register to reply here.
Back
Top