AWS Linux permissions for PHP image file writing & copying
I'm running my PHP script on an AWS EC2 instance under Linux Apache. The directory structure follows with [permissions]:
/ <root>
var [rwx r-x r-x]
www [rwx rws r-x]
html [rwx rws r-x]
my_dir_1 [rwx r-x r-x]
:
my_dir_1_1 [rwx r-x r-x] -> image_file_from_browser [rw- r-- r--]
:
:
my_private_dir (meaning it's outside the web root 'html' directory) [rwx rwx r-x]
my_private_dir_1 [rwx rwx r-x]
:
my_private_dir_1_1 [rwx rwx r-x] -> image_file_copy [rw- r-- r--]
:
:
The permissions are the default permissions for both directories and files.
The purpose of using my_private_dir is that I understand that web app users cannot have access to it since it is outside /html, this making for more security from hackers - correct me if I'm delusional here ;)
My objective is for my users to upload an image file from the app in the browser to my_dir_1_1, and from there use the PHP script to copy the image file to my_private_dir_1_1. The image would then be the file that PHP could use later in the script.
However, I cannot seem to write the file to my_dir_1_1, and if I ftp the image file to my_dir_1_1 I cannot copy it to my_private_dir_1_1. Both errors state that the permissions are denied.
I've read up on permissions but I seem to have a permissions neuron missing since I read that sometimes I appear to be the root user (methinks that's the apache root though), and sometimes PHP would appear to be the group, and no-one is the other since the instance is not shared. My head fell off when I started trying to learn about SETUID and SETGID ;)
In order for me not to remove my fingernails with pliers, could someone suggest the appropriate permissions that seem to be gliding past me? From this I will work back through my notes to understand better - like reading math answers to understand the questions.
/ <root>
var [rwx r-x r-x]
www [rwx rws r-x]
html [rwx rws r-x]
my_dir_1 [rwx r-x r-x]
:
my_dir_1_1 [rwx r-x r-x] -> image_file_from_browser [rw- r-- r--]
:
:
my_private_dir (meaning it's outside the web root 'html' directory) [rwx rwx r-x]
my_private_dir_1 [rwx rwx r-x]
:
my_private_dir_1_1 [rwx rwx r-x] -> image_file_copy [rw- r-- r--]
:
:
The permissions are the default permissions for both directories and files.
The purpose of using my_private_dir is that I understand that web app users cannot have access to it since it is outside /html, this making for more security from hackers - correct me if I'm delusional here ;)
My objective is for my users to upload an image file from the app in the browser to my_dir_1_1, and from there use the PHP script to copy the image file to my_private_dir_1_1. The image would then be the file that PHP could use later in the script.
However, I cannot seem to write the file to my_dir_1_1, and if I ftp the image file to my_dir_1_1 I cannot copy it to my_private_dir_1_1. Both errors state that the permissions are denied.
I've read up on permissions but I seem to have a permissions neuron missing since I read that sometimes I appear to be the root user (methinks that's the apache root though), and sometimes PHP would appear to be the group, and no-one is the other since the instance is not shared. My head fell off when I started trying to learn about SETUID and SETGID ;)
In order for me not to remove my fingernails with pliers, could someone suggest the appropriate permissions that seem to be gliding past me? From this I will work back through my notes to understand better - like reading math answers to understand the questions.
ASKER
Updated tree. Note the change of permission from x to s in my_private_dir (my typo), and the 3 directories after my_dir_1:
/ <root>
var [rwx r-x r-x]
www [rwx rws r-x]
html [rwx rws r-x]
my_dir_1 [rwx r-x r-x]
: a
: b (3 in tree leading to my_dir_1_1 with same permissions as my_dir_1)
: c
my_dir_1_1 [rwx r-x r-x] -> test_text.txt from_browser [rw- r-- r--]
:
:
my_private_dir (meaning it's outside the web root 'html' directory) [rwx rws r-x]
: def
my_private_dir_1 [rwx rwx r-x]
: ghi
: jkl
my_private_dir_1_1 [rwx rwx r-x] -> test_text.txt [rw- r-- r--]
:
:
Using WinSCP, no errors with ftp'ing image_file_copy.
Running script to upload image_file_copy (after deletion in my_private_dir_1_1 from ftp transfer using WinSCP):
SUDO results:
/ <root>
var [rwx r-x r-x]
www [rwx rws r-x]
html [rwx rws r-x]
my_dir_1 [rwx r-x r-x]
: a
: b (3 in tree leading to my_dir_1_1 with same permissions as my_dir_1)
: c
my_dir_1_1 [rwx r-x r-x] -> test_text.txt from_browser [rw- r-- r--]
:
:
my_private_dir (meaning it's outside the web root 'html' directory) [rwx rws r-x]
: def
my_private_dir_1 [rwx rwx r-x]
: ghi
: jkl
my_private_dir_1_1 [rwx rwx r-x] -> test_text.txt [rw- r-- r--]
:
:
Using WinSCP, no errors with ftp'ing image_file_copy.
Running script to upload image_file_copy (after deletion in my_private_dir_1_1 from ftp transfer using WinSCP):
31 apache process owner = apache
44 my_dir = my_dir_1_1
88 fname = test_text.txt
105 my_path = /var/www/html/my_dir_1/a/b/c/my_dir_1_1/test_text.txt
App Error '2'
occurred in script '/var/www/html/my_dir_1/a/b/php_upload_script.php' on line 128:
move_uploaded_file(/var/www/html/my_dir_1/a/b/c/my_dir_1_1/test_text.txt): failed to open stream: Permission denied
Date/Time: 20-4-2017 11:14:03
App Error '2'
occurred in script '/var/www/html/my_dir_1/a/b/php_upload_script.php' on line 128:
move_uploaded_file(): Unable to move '/tmp/phpuvwxyz' to '/var/www/html/my_dir_1/a/b/c/my_dir_1_1/test_text.txt'
Date/Time: 20-4-2017 11:14:03
App Error '256'
occurred in script '/var/www/html/my_dir_1/a/b/php_upload_script.php' on line 138:
MOVE TO /var/www/html/my_dir_1/a/b/c/my_dir_1_1/test_text.txt FAILED
Date/Time: 20-4-2017 11:14:03SUDO results:
/bin/ls -latrd /var/www/html/my_dir_1
drwxr-xr-x 6 ec2-xxxxxxxx www 4096 Feb 25 22:14 /var/www/html/my_dir_1
/bin/ls -latrd /var/www/html/my_dir_1/a
drwxr-xr-x 7 ec2-xxxxxxxx www 4096 Feb 24 20:29 /var/www/html/my_dir_1/a
/bin/ls -latrd /var/www/html/my_dir_1/a/b
drwxr-xr-x 4 ec2-xxxxxxxx ec2-xxxxxxxx 4096 Apr 20 15:13 /var/www/html/my_dir_1/a/b
/bin/ls -latrd /var/www/html/my_dir_1/a/b/c
drwxr-xr-x 3 ec2-xxxxxxxx ec2-xxxxxxxx 4096 Apr 19 17:38 /var/www/html/my_dir_1/a/b/c
/bin/ls -latrd /var/www/html/my_dir_1/a/b/c/my_dir_1_1
drwxr-xr-x 2 ec2-xxxxxxxx ec2-xxxxxxxx 4096 Apr 20 15:16 /var/www/html/my_dir_1/a/b/c/my_dir_1_1
/bin/ls -latrd /var/www/my_private_dir
drwxrwsr-x 5 ec2-xxxxxxxx www 4096 Feb 25 22:19 /var/www/my_private_dir
/bin/ls -latrd /var/www/my_private_dir/my_private_dir_1
drwxrwxr-x 9 ec2-xxxxxxxx www 4096 Dec 21 21:28 /var/www/my_private_dir/my_private_dir_1
/bin/ls -latrd /var/www/my_private_dir/my_private_dir_1/my_private_dir_1_1
drwxrwxr-x 2 ec2-xxxxxxxx www 4096 Apr 19 20:55 /var/www/my_private_dir/my_private_dir_1/my_private_dir_1_1
/bin/ls -latrd /var/www/html/my_dir_1/* 2>/dev/null | /usr/bin/tail -3
(blank)
/bin/ls -latrd /var/www/my_private_dir/* 2>/dev/null | /usr/bin/tail -3
drwxr-xr-x 3 ec2-xxxxxxxx www 4096 Dec 21 21:27 /var/www/my_private_dir/def
drwxrwxr-x 9 ec2-xxxxxxxx www 4096 Dec 21 21:28 /var/www/my_private_dir/my_private_dir_1
-rw-r--r-- 1 ec2-xxxxxxxx www 3211 Feb 24 18:10 /var/www/my_private_dir/(db connection file)
/bin/ls -latrd /var/www/my_private_dir/my_private_dir_1/* 2>/dev/null | /usr/bin/tail -3
drwxr-xr-x 2 ec2-xxxxxxxx www 4096 Dec 21 21:28 /var/www/my_private_dir/my_private_dir_1/ghi
drwxr-xr-x 2 ec2-xxxxxxxx www 4096 Dec 21 21:30 /var/www/my_private_dir/my_private_dir_1/jkl
drwxrwxr-x 2 ec2-xxxxxxxx www 4096 Apr 19 20:55 /var/www/my_private_dir/my_private_dir_1/my_private_dir_1_1
/bin/ls -latrd /var/www/my_private_dir/my_private_dir_1/my_private_dir_1_1/* 2>/dev/null | /usr/bin/tail -3
(blank)ASKER
Ideas for the above situation, anyone?
.. also, I've searched far too long for answers to understanding permissions from the php programmer's perspective getting only the rwx and 755 type descriptions and processes. If you know of a compact source that I can learn Linux permissions from the perspective of the *PHP programmer*, not for the Linux admin who has the box locally or remotely, I'd really appreciate it. Clearly, this is the reason why I needed to post the above.
My intent is to know *when* to give the 3 users their permissions for the app's directories, data files and PHP scripts on the basis of heightened security.
Much appreciated.
.. also, I've searched far too long for answers to understanding permissions from the php programmer's perspective getting only the rwx and 755 type descriptions and processes. If you know of a compact source that I can learn Linux permissions from the perspective of the *PHP programmer*, not for the Linux admin who has the box locally or remotely, I'd really appreciate it. Clearly, this is the reason why I needed to post the above.
My intent is to know *when* to give the 3 users their permissions for the app's directories, data files and PHP scripts on the basis of heightened security.
Much appreciated.
Reading your comment now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Closing this query for
1. tested and released finalized code.
2. Question being inactive for more days.
1. tested and released finalized code.
2. Question being inactive for more days.
Post the snapshot for the errors you faced including ftp.
Exclude or change the following in snapshot
1. hostname or IP Address
2. Domain name
Also mention the output of the following:
/bin/ls -latrd /var/www/html/my_dir_1 \
Other_Directory/my_private
Other_Directory/my_private
Other_Directory/my_private
/bin/ls -latrd /var/www/html/my_dir_1/* 2>/dev/null | /usr/bin/tail -3
/bin/ls -latrd Other_Directory/my_private
/bin/ls -latrd Other_Directory/my_private
/bin/ls -latrd Other_Directory/my_private