Re: [newbie] Permissions: Nobody in Apache + PHP
Hi Kevin, Just wanted to thank you for your help. Figured out the problem -- it was partly permission problem (that you helped to solve). I tried a simpler script, testing to see whether I could simply write to a file. I could. It would even append. But back in the "graffiti.php" it still wouldn't recognize or pass the variable. I looked at phpinfo() output and noticed that: register_globals=off and register_argc_argv= off No wonder it wasn't passing the variable. The php.ini told it not to. Changed both to "on", and bingo - a working script! Thanks again, Andre On Sunday 10 February 2002 01:42, you wrote: > Andre, > > Yes, your problem is testing the script as root. As a rule of thumb, never > write scripts or test stuff as root. The root user should only be used > when you need to install something new, or perform system maintenance. > > Kevin > - Original Message - > From: "Andre Dubuc" <[EMAIL PROTECTED]> > To: "Kevin Old" <[EMAIL PROTECTED]> > Sent: Saturday, February 09, 2002 10:25 PM > Subject: Re: [newbie] Permissions: Nobody in Apache + PHP > > > Kevin, > > > > My tmp directory was set to drwxrwxr-t -- I changed it, as well as the > > graffiti.dat in /htdocs. The file in both /tmp and /htdocs was not > > apache: apache but root:root. Is this where the problem lies? I'm testing > > the > > script > > > while in root (Btw, I wrote it in root: I can't seem to get any script to > > work as user). > > > > Where would I find "errors in my browser"? > > > > Thanks for your advice! > > > > Andre > > > > On Saturday 09 February 2002 23:00, you wrote: > > > Andre, > > > > > > I copied the code and executed it and worked fine for me. > > > > > > Make sure your tmp directory is set like this > > > > > > drwxrwxrwt4 root root 1024 Feb 9 16:41 tmp/ > > > > > > This is how the file was created > > > > > > -rw-r--r--1 apache apache 0 Feb 9 16:38 graffiti.dat > > > > > > Are you getting any errors back in your browser from PHP? > > > > > > Kevin > > > - Original Message - > > > From: "Andre Dubuc" <[EMAIL PROTECTED]> > > > To: "Kevin Old" <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Saturday, February 09, 2002 9:26 PM > > > Subject: Re: [newbie] Permissions: Nobody in Apache + PHP > > > > > > > Thanks Kevin, > > > > > > > > You're right it's a permission thing, but it doesn't make any > > difference > > > > sinc > > > > > > > I palced Grafiti.dat and graffiti.php in the same directory (htdocs). > > I > > > > also > > > > > > > tried it in /tmp, setting the permissions the same. No go. Since this > > is > > > > > a tutorial script, (PHP 101 - Part 5 from DevShed.com) I wonder if > > > > there's a mistake in it: the variable $graffiti does not seem to be > > > > defined except > > > > > > by > > > > > > > the name=graffiti function in the form section. > > > > > > > > My error log is a mess! Primary error: $graffiti not defined, and, > > > > no permission to grafiti.php. The script is simple and should work: I > > > > > > included > > > > > > > it below. If you would be so kind as to scan for errors (particularly > > for > > > > > $graffiti definition): > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > // set the file name > > > > $filename = "/tmp/graffiti.dat"; > > > > > > > > // open the file > > > > $handle = fopen ($filename, "a+"); > > > > > > > > // write the string to the file handle > > > > fputs ($handle, $graffiti); > > > > > > > > // close the file > > > > fclose ($handle); > > > > ?> > > > > > > > > [I changed graffiti.php4 to > > > > php] > > > > > > > > > > > > > > > > > > > // Display current contents of file if available > > > > if (file_exists ($filename)) > > > > { > > > > echo "Current graffiti reads: "; &g
Re: [newbie] Permissions: Nobody in Apache + PHP
Hi Micahel, First, to answer your questions: user/group on /tmp root:root r/w permissions on tmp : rwxrwxrwxt Now Apache + PHP is loaded in /home/web/apache (root:root) with (rwx r-x r-x) on all subdirectories including /htdocs where graffiti.php resides. I've tried placing graffiti.dat in /htdocs and in /tmp, and even created a new dierctory /home/web/apache/tmp directory. Nothing works. Tried changing (chown -R apache:apache /home/web) and (chown -R andre:andre /home/web) -- nothing works. [What is the problem with this setup? I've had so much trouble with Apache and PHP!] What permissions, user/group should Apache + PHP have? User is in Apache group, also tried putting user in the Nobody group. Where should I look? The error log indicate: [Sun Feb 10 13:01:31 2002] [error] PHP Warning: fopen("/tmp/graffiti.dat", "a+") - Permission denied in /home/web/apache/htdocs/graffiti.php on line 18 [[[ $handle = fopen ($filename, "a+"); ]]] [Sun Feb 10 13:01:31 2002] [error] PHP Warning: Undefined variable: graffiti in /home/web/apache/htdocs/graffiti.php on line 22 [Sun Feb 10 13:01:31 2002] [error] PHP Warning: Supplied argument is not a valid File-Handle resource in /home/web/apache/htdocs/graffiti.php on line 22 [[[ fputs ($handle, $graffiti); ]]] [Sun Feb 10 13:01:31 2002] [error] PHP Warning: Supplied argument is not a valid File-Handle resource in /home/web/apache/htdocs/graffiti.php on line 25 Thanks for your advice, Andre On Sunday 10 February 2002 00:43, you wrote: > There are several things to check > > For example which user / group owns /tmp? > > What are the read / write permissions on /tmp? > > If nobody does not have write privileges to /tmp, the file will not get > updated. > > Michael > > -- > Michael Viron > Registered Linux User #81978 > Senior Systems & Administration Consultant > Alumni Representative, Online Operations > Web Spinners, University of West Florida > > At 03:14 PM 02/09/2002 -0500, Andre Dubuc wrote: > >Finally, I have working copies of Apache 1.3.22 and PHP 4.1.1 on my LM8.0 > >box. Apache has been set up with "nobody' permissions, and I write test > >scripts as root and place them in /home/web/apache/htdocs. > > > >I can read scripts from this directory, but I've tried to use: > >. . . excerpt . . . > > > > $filename = "/tmp/graffiti.dat"; > > $handle = fopen ($filename, "a+"); > > fputs ($handle, $graffiti); [I've also tried fwrite] > > fclose($handle); > > > >. . . followed by a form that takes $graffiti as input . . . and then a > > php script that displays the contents of the appended $filename . . . > > > >And no matter what I try, nothing is written to "graffiti.dat" -- I've > >checked that it is writeable. Somehow, I think it's related to permissions > >and the group "nobody". I've written the script as root, and another as > > user. > > >Neither works. Apache (temporarily) is run at root -- I'm just learning > >Apache and PHP -- this is a developmental setup, not connected to the > > outside. > > >If there are any gurus that can help me, I'd appreciate it. Permissions > > are set otherwise to 755. > > > >I'm obviously not clear on the concept of "nobody" and how it affects > > running > > >of scripts. Who cn arun these, if it's set to "nobody"? > > > >Tia, > >Andre > > > > > > > > > >-- > >Please pray the Holy Rosary to end the holocaust of abortion. > >Remember in your prayers the suffering souls in Purgatory. > > > >May God bless you abundantly in His love! > > > >For a free Cenacle Scriptural Rosary Booklet -- > > http://www.webhart.net/csrb/ > > > >Want to buy your Pack or Services from MandrakeSoft? > >Go to http://www.mandrakestore.com Content-Type: text/plain; charset="us-ascii"; name="message.footer" Content-Transfer-Encoding: 8bit Content-Description: -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the suffering souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet -- http://www.webhart.net/csrb/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Permissions: Nobody in Apache + PHP
>If you want to know why 'nobody' is not singled out as a specially >restricted user then I can only give you my explanation and I don't know >how authoritative that is. Firstly the Unix model says there are two >types of users: superusers (uid=0) and ordinary users (uid!=0). I'd modify this to say that superusers have uid / gid equal to 0, while 'ordinary' users have uid / gid not equal to 0. Michael -- Michael Viron Registered Linux User #81978 Senior Systems & Administration Consultant Web Spinners, University of West Florida Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Permissions: Nobody in Apache + PHP
There are several things to check For example which user / group owns /tmp? What are the read / write permissions on /tmp? If nobody does not have write privileges to /tmp, the file will not get updated. Michael -- Michael Viron Registered Linux User #81978 Senior Systems & Administration Consultant Alumni Representative, Online Operations Web Spinners, University of West Florida At 03:14 PM 02/09/2002 -0500, Andre Dubuc wrote: >Finally, I have working copies of Apache 1.3.22 and PHP 4.1.1 on my LM8.0 >box. Apache has been set up with "nobody' permissions, and I write test >scripts as root and place them in /home/web/apache/htdocs. > >I can read scripts from this directory, but I've tried to use: >. . . excerpt . . . > > $filename = "/tmp/graffiti.dat"; > $handle = fopen ($filename, "a+"); > fputs ($handle, $graffiti); [I've also tried fwrite] > fclose($handle); > >. . . followed by a form that takes $graffiti as input . . . and then a php >script that displays the contents of the appended $filename . . . > >And no matter what I try, nothing is written to "graffiti.dat" -- I've >checked that it is writeable. Somehow, I think it's related to permissions >and the group "nobody". I've written the script as root, and another as user. >Neither works. Apache (temporarily) is run at root -- I'm just learning >Apache and PHP -- this is a developmental setup, not connected to the outside. > >If there are any gurus that can help me, I'd appreciate it. Permissions are >set otherwise to 755. > >I'm obviously not clear on the concept of "nobody" and how it affects running >of scripts. Who cn arun these, if it's set to "nobody"? > >Tia, >Andre > > > > >-- >Please pray the Holy Rosary to end the holocaust of abortion. >Remember in your prayers the suffering souls in Purgatory. > >May God bless you abundantly in His love! > >For a free Cenacle Scriptural Rosary Booklet -- http://www.webhart.net/csrb/ > >Want to buy your Pack or Services from MandrakeSoft? >Go to http://www.mandrakestore.com > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Permissions: Nobody in Apache + PHP
Hello Andre, Try this - [I changed graffiti.php4 to php] Current graffiti reads: "; readfile ($filename); } else { echo "File not found!"; } ?> -- Best regards, Colinmailto:[EMAIL PROTECTED] 4:20pm up 18:50, 0 users, load average: 0.01, 0.00, 0.00 Don't panic! .registered linux user #223862 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Permissions: Nobody in Apache + PHP
Thanks Kevin, You're right it's a permission thing, but it doesn't make any difference sinc I palced Grafiti.dat and graffiti.php in the same directory (htdocs). I also tried it in /tmp, setting the permissions the same. No go. Since this is a tutorial script, (PHP 101 - Part 5 from DevShed.com) I wonder if there's a mistake in it: the variable $graffiti does not seem to be defined except by the name=graffiti function in the form section. My error log is a mess! Primary error: $graffiti not defined, and, no permission to grafiti.php. The script is simple and should work: I included it below. If you would be so kind as to scan for errors (particularly for $graffiti definition): [I changed graffiti.php4 to php] Current graffiti reads: "; readfile ($filename); } else { echo "File not found!"; } ?> Somehow, I think there's a boo-boo in here (but then again, I'm a newbie! :>) Tia, (and thanks for your help!) Andre On Saturday 09 February 2002 20:47, you wrote: > Andre, > > Yes, it has to be a permissions issue. Here's one thing that has gotten me > in the past. Make sure that the directory (and ones above it) for > grafitti.dat have the same permissions and are owned and grouped exactly as > grafitti.dat is. Try that and let me know what happens. Also, check your > Apache error_log for error messages and they might help you pinpoint the > problem. > > As for your original question, nobody is just an ordinary user like any > other. The only thing is that the nobody account is disabled so that > nobody can log in in the normal way. The purpose of having such an > account is to limit the power of processes that run as this user and to > partition them off to some extent from other users although there seems > to be something of a trend nowadays to run various services as their own > separate users (eg, in Debian: www-data for Apache, proxy for squid, et > al.) > > If you want to know why 'nobody' is not singled out as a specially > restricted user then I can only give you my explanation and I don't know > how authoritative that is. Firstly the Unix model says there are two > types of users: superusers (uid=0) and ordinary users (uid!=0). Many > would argue that this approach is the reason Unix security is such a > problem so the question of whether introducing a new users with varying > privileges would actually help or not would need to be considered > carefully. Perhaps the main reason why it hasn't been done so far is > that there is little need. If you and I both have an account on the > system, can I delete your files? Hopefully not -- unless you have > specifically given a group I am in this privilege (or, heaven forbid, > the dreaded 'other'). If you have private files then hopefully you have > set the permissions/umask appropriately hence I can't read these > either. Consequently, we are both unprivileged users and only ourselves > (or, more correctly, processes with our uid) can do any damage to our > files (unless permission is granted otherwise). Hence use of the nobody > limits the damage that can be done to 'nobody': a user who owns > virtually nothing and can only access (read/write) files to which r/w > permission has been granted to "other" -- how more unprivileged could > this be? (Perhaps rlimits could be permanently enforced but in some > ways perhaps this is the responsiblity of the application process, not > the user id it runs as.) As I said, this is just my opinion and someone > else can probably provide a better answer. :) > > > Hope this helps, > Kevin > - Original Message - > From: "Andre Dubuc" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, February 09, 2002 2:14 PM > Subject: [newbie] Permissions: Nobody in Apache + PHP > > > Finally, I have working copies of Apache 1.3.22 and PHP 4.1.1 on my LM8.0 > > box. Apache has been set up with "nobody' permissions, and I write test > > scripts as root and place them in /home/web/apache/htdocs. > > > > I can read scripts from this directory, but I've tried to use: > > . . . excerpt . . . > > > > $filename = "/tmp/graffiti.dat"; > > $handle = fopen ($filename, "a+"); > > fputs ($handle, $graffiti); [I've also tried fwrite] > > fclose($handle); > > > > . . . followed by a form that takes $graffiti as input . . . and then a > > php > > > script that displays the contents of the appended $filename . . . > > > > And no matter what I try, nothing is written to "graffiti.dat" -- I've > > checked that it is writeable.
Re: [newbie] Permissions: Nobody in Apache + PHP
Andre, Yes, it has to be a permissions issue. Here's one thing that has gotten me in the past. Make sure that the directory (and ones above it) for grafitti.dat have the same permissions and are owned and grouped exactly as grafitti.dat is. Try that and let me know what happens. Also, check your Apache error_log for error messages and they might help you pinpoint the problem. As for your original question, nobody is just an ordinary user like any other. The only thing is that the nobody account is disabled so that nobody can log in in the normal way. The purpose of having such an account is to limit the power of processes that run as this user and to partition them off to some extent from other users although there seems to be something of a trend nowadays to run various services as their own separate users (eg, in Debian: www-data for Apache, proxy for squid, et al.) If you want to know why 'nobody' is not singled out as a specially restricted user then I can only give you my explanation and I don't know how authoritative that is. Firstly the Unix model says there are two types of users: superusers (uid=0) and ordinary users (uid!=0). Many would argue that this approach is the reason Unix security is such a problem so the question of whether introducing a new users with varying privileges would actually help or not would need to be considered carefully. Perhaps the main reason why it hasn't been done so far is that there is little need. If you and I both have an account on the system, can I delete your files? Hopefully not -- unless you have specifically given a group I am in this privilege (or, heaven forbid, the dreaded 'other'). If you have private files then hopefully you have set the permissions/umask appropriately hence I can't read these either. Consequently, we are both unprivileged users and only ourselves (or, more correctly, processes with our uid) can do any damage to our files (unless permission is granted otherwise). Hence use of the nobody limits the damage that can be done to 'nobody': a user who owns virtually nothing and can only access (read/write) files to which r/w permission has been granted to "other" -- how more unprivileged could this be? (Perhaps rlimits could be permanently enforced but in some ways perhaps this is the responsiblity of the application process, not the user id it runs as.) As I said, this is just my opinion and someone else can probably provide a better answer. :) Hope this helps, Kevin - Original Message - From: "Andre Dubuc" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 09, 2002 2:14 PM Subject: [newbie] Permissions: Nobody in Apache + PHP > Finally, I have working copies of Apache 1.3.22 and PHP 4.1.1 on my LM8.0 > box. Apache has been set up with "nobody' permissions, and I write test > scripts as root and place them in /home/web/apache/htdocs. > > I can read scripts from this directory, but I've tried to use: > . . . excerpt . . . > > $filename = "/tmp/graffiti.dat"; > $handle = fopen ($filename, "a+"); > fputs ($handle, $graffiti); [I've also tried fwrite] > fclose($handle); > > . . . followed by a form that takes $graffiti as input . . . and then a php > script that displays the contents of the appended $filename . . . > > And no matter what I try, nothing is written to "graffiti.dat" -- I've > checked that it is writeable. Somehow, I think it's related to permissions > and the group "nobody". I've written the script as root, and another as user. > Neither works. Apache (temporarily) is run at root -- I'm just learning > Apache and PHP -- this is a developmental setup, not connected to the outside. > > If there are any gurus that can help me, I'd appreciate it. Permissions are > set otherwise to 755. > > I'm obviously not clear on the concept of "nobody" and how it affects running > of scripts. Who cn arun these, if it's set to "nobody"? > > Tia, > Andre > > > > > -- > Please pray the Holy Rosary to end the holocaust of abortion. > Remember in your prayers the suffering souls in Purgatory. > > May God bless you abundantly in His love! > > For a free Cenacle Scriptural Rosary Booklet -- http://www.webhart.net/csrb/ > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Permissions: Nobody in Apache + PHP
Finally, I have working copies of Apache 1.3.22 and PHP 4.1.1 on my LM8.0 box. Apache has been set up with "nobody' permissions, and I write test scripts as root and place them in /home/web/apache/htdocs. I can read scripts from this directory, but I've tried to use: . . . excerpt . . . $filename = "/tmp/graffiti.dat"; $handle = fopen ($filename, "a+"); fputs ($handle, $graffiti);[I've also tried fwrite] fclose($handle); . . . followed by a form that takes $graffiti as input . . . and then a php script that displays the contents of the appended $filename . . . And no matter what I try, nothing is written to "graffiti.dat" -- I've checked that it is writeable. Somehow, I think it's related to permissions and the group "nobody". I've written the script as root, and another as user. Neither works. Apache (temporarily) is run at root -- I'm just learning Apache and PHP -- this is a developmental setup, not connected to the outside. If there are any gurus that can help me, I'd appreciate it. Permissions are set otherwise to 755. I'm obviously not clear on the concept of "nobody" and how it affects running of scripts. Who cn arun these, if it's set to "nobody"? Tia, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the suffering souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet -- http://www.webhart.net/csrb/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com