3

I am trying to grant apache permission to a file in my home folder, so that a php page might write log data to that file. Below find what I have done to accomplish this in my bash shell, and I cannot figure out why this won't work:

[root@myserver logs]# mkdir apachelogs
[root@myserver logs]# touch apachelogs/log.log
[root@myserver logs]# chown -R apache:apache apachelogs
[root@myserver logs]# chown -R apache:apache apachelogs/log.log
[root@myserver logs]# chmod 770 apachelogs
[root@myserver logs]# su apache
bash-4.1$ cd apachelogs
bash: cd: apachelogs: Permission denied

So I have just granted apache ownership, read, write, execute permission, yet clearly apache still does not have access to the directory, and this is verified when my php script runs this line of code:

echo exec(whoami)."\n";
file_put_contents("/home/chilinut/logs/apachelog/log.log","test",FILE_APPEND);

The output is (not surprisingly)

apache
E_WARNING: file_put_contents(/home/chilinut/logs/apachelog/log.log): 
failed to open stream: Permission denied

What am I missing here? I don't want to give the folder 777. I'd rather it have something like 644. I am using CentOS release 6.4 (Final)

Thanks for reading!

chiliNUT
  • 18,989
  • 14
  • 66
  • 106

4 Answers4

3

Dude,

This a clear case that the parent directory of the file /home/chilinut/logs/apachelog/log.log doesn't have permission for the user apache.

You have to give write, read permission for the user apache for the parent directories also.Try the following in your case

chown chilinut:apache /home/chilinut/
chown -R chilinut:apache /home/chilinut/*
chmod g+rw /home/chilinut/
chmod -R g+rw /home/chilinut/*

Now switch to apache user and try to execute it. It will be fine. I have tried with a sample script and does the same as your script.

enter code# cat test.sh 
echo | exec whoami ;
echo test >> /home/testleo/public_html/apachelogs/log.log;

Worked fine from my end.

Leo Prince
  • 2,019
  • 26
  • 29
  • Is it kosher to let apache have permission for your home folder? It just seemed wrong to grant another user, even apache, access to my home folder. But if this doesn't go against some convention or something ill be happy to try it out when I get home. +1 for dude. – chiliNUT Nov 23 '13 at 05:40
  • lol :) Dude, Actually in normal practice apache won't have permission to log in to shell as it their shell will be "/sbin/nologin". See # grep apache /etc/passwd apache:x:48:48:Apache:/var/www:/sbin/nologin – Leo Prince Nov 23 '13 at 06:56
  • Apart from that, It is not a healthy practice to give permission for other user for your home folder "chilinut" as that user will have same privileges to use/modify every content in the home folder. Here in this case as apache is a system user, The chance of getting hacked is pretty less AFAIK. – Leo Prince Nov 23 '13 at 07:00
  • I ran your chowns and chmods and my script still gave me the same error. I have solved this by having the file in my public html folder with `200` permissions so apache can write as it pleases and the public cannot view contents – chiliNUT Nov 23 '13 at 18:16
  • Ohh... That is great to hear that you have managed to resolve your issue but the response I have given is based on what I have worked in my test machine. – Leo Prince Nov 23 '13 at 19:24
  • Btw, this helped me in a similar problem, but why did you suggest `chilinut:apache` and not `apache:apache`? (I worked it out with the latter) Is the folder name more appropriate to use with `chown`? – Armfoot Jun 22 '15 at 10:28
2

When in doubt turn to good sources that preach good practices :). In this case I'll be using symfony setup instructions as a guide.

$ APACHEUSER=`ps aux | grep -E '[a]pache|[h]ttpd' | grep -v root | head -1 | cut -d\  -f1`
$ sudo chmod +a "$APACHEUSER allow delete,write,append,file_inherit,directory_inherit" apachelogs/
$ sudo chmod +a "`whoami` allow delete,write,append,file_inherit,directory_inherit" apachelogs/

You can find the reference here: http://symfony.com/doc/current/book/installation.html#configuration-and-setup

Yes, those are the instructions to get the right permissions for apache to write to symfony's app/logs and app/cache folders but the same can be applied to any folder :).

Kirill Fuchs
  • 13,446
  • 4
  • 42
  • 72
  • This seems all good but I do not want to modify apaches permissions which is what this seems to be doing. I am a root user but not a sysadmin so I don't want to actually modify apache in any way. – chiliNUT Nov 23 '13 at 05:44
1

You may not have permissions to the parent directories?

ryrysz
  • 907
  • 5
  • 11
0

... to get your echo exec(whoami)."\n"; working do a chmod 777 apachelogs -R and go from there. I'd guess that's a different user than apache...

Michael D.
  • 1,795
  • 2
  • 18
  • 25