Solved

Runing a php script as the FTP user, or grant php user r/w privileges with inheritance

Posted on 2004-08-28
7
258 Views
Last Modified: 2006-11-17

Hi there,

let me tell you what I'm trying to do, what I've tried already...

I have a php script that accesses a folder named content where some
persons will be uploading image galleries. The script does read the
html files and makes some changes.

All this works fine when run in a windows box with apache + php, as
there is no problem with the permissions.

What I do need:

. I would like apache run the php script as the FTP user. So it has the same privileges, an
  if it creates a new file, the ftp user will be able to delete it without
  having to make the file world writable.

. another way of doing so, would be grant the "www" user to r/w any files/folders untder
  that "content" folder. This also includes newly created ones by the FTP user.


A not so ellegant sollution, would be change the FTP daemon defaul folder and file
permission, so it's wold readble & writable... But this is not my prefered sollution.


I have tried already creating a folder from a php script and do a chmod ("folder", 01755); so the owner is "www".
Also tried the chmod ("folder", 04777); and lots of variants, but seems that the setuid and stiky bits
have no real effect, as when the ftp user creates a new folder under the "content" folder, the "www" user
(the one that runs for apache) has no write rights on that folder.

Something like giving "root" privileges to the "www" user, is not my preferred sollution...

The scenario:

the server is a FreeBSD 4.9 with Apache/1.3.29 and PHP 4.3.4



I hope everything about what I do ask is quite clear here, if there's something uncler, I will be more than willing to clarify.
Thanks a lot in advance!
Demien.
0
Comment
Question by:demienx
  • 3
  • 3
7 Comments
 
LVL 10

Assisted Solution

by:frugle
frugle earned 250 total points
ID: 11920519
can you put the ftp user and the webserver user in a group, then assign group ownership to the folder?

read: http://www.onlamp.com/pub/a/bsd/2002/08/16/Big_Scary_Daemons.html

Mike
0
 
LVL 25

Accepted Solution

by:
Squinky earned 250 total points
ID: 11923415
A little side-tip: use the pure-ftpd server. It's is extremely clever and flexible about all kinds of permissions arrangements. It runs on both win and unix-like platforms. www.pureftpd.org

Otherwise, I'd go for the group solution, as frugle says. That's what I do when handling FTP uploads of web pages. I have a master FTP user that owns all web pages, and then make sure that the web server is in the assigned group. For places where the web server needs write access (e.g. smarty templates_c folders), I just give write privs to the group.
0
 

Author Comment

by:demienx
ID: 11933158

sorry for the late reply, I've been out...

frugle,

having them in the same group, would be better than chmod 777, but stills has the main problem I do have, setting the permission of files and folders. I do not want the users to chmod manually when they do upload a new file (644 by default) or create a new folder (755 by default) to make the file writeable to the group. Does not solve the issue,  but thanks a lot for your help.

Squinky,

the group sollution problem still the same as above, but he pureftpd server looks very very interesting and will hopefully allow me to solve another problem I had with my current FTP server. I'll rewqard you for a so interesting piece of software ;)

I'll try to use the FTP server, but still would like to be able tu run a php script as another user. I think that with CGIs it was possible to setuid it,  but for php scripts there is a need of some wrapper... I'm still looking arround for this.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:frugle
ID: 11933960
umask may be the solution to your problem if it's on your distribution...

man umask

       The  umask  is used by open(2) to set initial file permis­
       sions on a newly-created file.  Specifically,  permissions
       in  the  umask  are  turned  off from the mode argument to
       open(2) (so, for example, the common umask  default  value
       of 022 results in new files being created with permissions
       0666 & ~022 = 0644 = rw-r--r-- in the usual case where the
       mode is specified as 0666).

Mike
0
 

Author Comment

by:demienx
ID: 11935880


frugle,

sorry but I don't know how this will make the FTP uploaded files to be have the permission I do want... I have tried by loggin into my server thru SSH, then using umask, but seems to have no effect in the FTP upload, as permissions are not affected on creation of new files when I do change umask thru SSH login...

Please tell me if I'm doing wrong. Thanks!
0
 
LVL 10

Expert Comment

by:frugle
ID: 11939519
You may want to post a pointer to this question in one of the *nix groups, someone there may have a better idea of how umask/numask works. It could be user specific, which would require putting something in the equivalent of bash.rc for the FTP user.

Can't help you much more myself - I'm not a *nix guru - just another perl hacker :P

Mike
0
 

Author Comment

by:demienx
ID: 11940617

Well, after lots of searching all over the net and e.e. network, I dound that the sollution for this would be a headache, whenever feasible. Basically I would need to install apache server with suEXEC support and apache as a CGI install. As this would be a performance downgrade and somewhat complex for me to setup, I have found two other works arrounds.

Here is a link to a thread about suEXEC:
http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_20811864.html?query=SuExec&topics=103

- There was one that I found someone used here in e.e., and basically consist into making the script access the html pages by making a FTP connection with the FTP-user data, so that way permissions remain to that user. The downside of this method is the speed... it all depends on your needs.
Here is the link: http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_20836213.html

- The other sollution is the one I'll be using, and basically consist into running my php script as cmdline call from a cron job that my FTP-user creates. So permission that way are the FTP-user ones. This suits ok for my scrip functions, as does not need human intervention.

About the resollution, the initial problem was not solved, as I got not the way to run my script as the FTP user, but the
help on. There where two aproaches with group permissions, and a gold piece of software that will solve a problem I had with my current FTP server. So, split points for you guys, and thanks for your hep!

Demien.

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now