2

I'm using PHP on an Apache web server, but PHP lacks write permission and can't create new files, or modify existing ones, despite that the file that needs to be modified is set to the usual 644 (and folders are 755).

My first guess was that the problem was PHP running as a different user than the file owner, and by running "posix_getpwuid(posix_geteuid());" I found that PHP ran as "www-data", while the file had owner and group set to "company123". So maybe I should simply change the owner of the file to "www-data"?

But then I decided to check some other web servers I've been working with. On the first one I tried, I had no problems creating or modifying 644 files with PHP, and yet, the owner and group were named "600", while PHP ran as the user "wse253421". So apparently, it's ok for PHP to run as one user, and write to 644 files owned by another user. How does that work?

What's going on here, and what should I do about PHP lacking write permission on the first server?

omanaga
  • 23
  • 2
  • 4
  • You can also create a folder and allow "write" to the folder permission, if not, type permission file php in google n you will find an answer – Maduro Nov 29 '15 at 19:06
  • I've already spent hours searching the web for an answer. What do you mean by "allow 'write' to the folder permission"? The folder already has the usual 755 permission. The file I need to change has 644 permission, but changing it to 664 makes no difference. And from what I can see, the permissions are the same ones as on the other server, where things work well. So what do you suggest I change? – omanaga Nov 29 '15 at 19:22

1 Answers1

2

644 is Read/Write permission to the owner and read-only permission to the group and the world. So if the file is not owned by the same user as the web server runs under, PHP will not be able to write to it, regardless of the group. If (as you say) it seems to be doing this then the web-server user is an alias of the file owner, ie they share the same uid.

For group write the file needs to be 664 and the group needs to be the same as the group that the webserver runs as (often www-data but not guaranteed!). If the file belongs to a different group, 664 won't help. 666 would, but is not recommended since that allows anyone to write to the file.

To create new files the permissions on the directory are the important factor. 755 is Read/Write/Execute for the owner and Read/Execute for group and world. If you want group write you need 775 and again the group needs to be the same group as the webserver runs under.

Edit: If you need to check the webserver user/group temporarily chmod the directory to 777 and have it write a file. Then check the file owner and group. Just don't forget to chmod it back to a more secure setting

The best solution for your first server would probably be to chgrp the files and directories you need to write to, to the group of your webserver (probably www-data), chmod the files to 664 and chmod the directories to 775

See https://www.ics.uci.edu/computing/linux/file-security.php

See also answer by Thomas Rutter here: https://askubuntu.com/questions/386928/default-permissions-for-var-www

Community
  • 1
  • 1
QuantumTiger
  • 970
  • 1
  • 10
  • 22
  • "So if the file is not owned by the same user as the web server runs under, PHP will not be able to write to it, regardless of the group". Then why can I write to (644 permission) files on the other server, where the user is "wse253421", and the file owner is named "600"? – omanaga Nov 29 '15 at 22:05
  • I suspect that 600 is an alias of wse253421 ie they share the same uid – QuantumTiger Nov 29 '15 at 22:34
  • Thank you! That turned out to be the case. I didn't know about uids and aliases. Do you know if it's common to have PHP run as one user while another user owns the files (on purpose, for security reasons?), or is this likely a mistake? – omanaga Nov 30 '15 at 12:13
  • I think it is relatively common for the Apache server to be an alias, yes, but I can't find a reference to support that atm – QuantumTiger Nov 30 '15 at 12:16
  • Excuse me if I was unclear. I didn't mean "Is it common to use an alias?", I meant "Is it common to not let PHP write to the web server?". Whenever I've bought web hosting, I've been able to write to the server using PHP, but perhaps companies normally disallow that sort of thing on their own web sites for security reasons? – omanaga Nov 30 '15 at 13:11
  • I don' know I'm afraid. It is generally good security practice to only allow the things that really need to write to a directory to be able to. I've edited my answer to cover everything. If you think it reflects the solution to your issue it would be great if you could accept it. Many thanks! – QuantumTiger Nov 30 '15 at 13:50