I'm trying to create a directory with a perl script after calling it via Ajax through a web interface. I'm using IIS7.5 to run my webserver.
The problem arises when I use either mkdir($path) or system("mkdir", $path), with the errors being "Permission denied" or "Access is denied", respectively. I believe I've set up the permissions correctly to give read/write/execute permissions as well as special permissions to create files and folders to the script.
Please let me know also if this should should be posted elsewhere, thanks!
I would think you could find the user running the script with "whoami".
Also, I'm not clear on what context the script is running in, nor where is the directory it is trying to create. It might be necessary to add the "-p" option so that necessary parent directories are created.
No comment on the safety of this ... I assume that those checks are being made elsewhere.
Please keep in mind that , the folder that you are planning to create this new folder in , must be owned by apache ( or any other web server software, you might be using ).
sudo chown apache *rootfolderfornewfolder*
I hope this helps
Related
I am a web developer, and for some upcoming projects I would like to use a file-based CMS. This means that many of the files I create at the start must be editable by the PHP user later, but also remain editable for my user (and also the other way around). My PC runs Debian 9, which I love but am not super knowledgeable about, and I have also just set up a local network server with Debian 9 for backups and possibly file sharing. (I'm using Webmin to configure this, which reflects my level of command line skills).
On my online shared hosting server, the PHP user and the FTP user seem to be the same, and 644/755 permissions work fine, this is also recommended by the CMS I'm using. I would like to mimic this on my computer so I don't have to fiddle with permissions all the time. But how do I do this? Currently, my regular user (anna) does not have access to www-data's files and vice versa. Putting them in the same group still means changing file permissions. Making anna the PHP user is a Bad Idea (as far as I understand it) because anna has sudo permissions.
So far I have researched three possible solutions that I don't really know very much about, and I would like to know which is the best route to take.
Develop locally on my computer and use apache-mpm-itk or suPHP to let PHP edit the files (I got that idea from this question on ServerFault).
Develop locally on my computer and rsync the files to my server with grunt-rsync, and somehow get rsync to set the ownership to www-data (another ServerFault thread helping here).
Mount the project's server directory, which is owned by www-data, on my computer with SSHFS and then either edit the files on the server directly or copy them over from my local directory with grunt-copy.
What do you think: from a security and ease of use perspective, which is the best way? Or do you know an even better one?
Thank you for taking the time to read and think about this!
Anna~
I figured it out! I finally ended up reading about running PHP as CGI instead of as an Apache module, and that this would solve my permissions problem. Plus, as far as I understand it, there are no extra security precautions to take when I'm the only one working with it on my local computer.
In case someone comes across this who might find it helpful, here's what I did (basically following these instructions):
I installed php7.0-fpm
Edited /etc/apache2/sites-enabled/000-default.conf and put the following just before </VirtualHost>:
DirectoryIndex index.php
<LocationMatch "^(.*\.php)$">
ProxyPass fcgi://127.0.0.1:9000/var/www/html
</LocationMatch>
I activated the Apache module proxy_fcgi (via Webmin, which apparently does an automatic Apache restart)
In /etc/php/7.0/fpm/pool.d/www.conf I commented out a listen line and put another below like this:
; listen = /run/php/php7.0-fpm.sock
listen = 127.0.0.1:9000
I then restarted PHP-FPM with this command: /etc/init.d/php7.0-fpm restart (a little different from the instructions, I'm on Debian 9). After that, phpinfo() gave me the Server API "FPM/FastCGI".
And finally, I changed the user and group from www-data to anna in three places, twice in /etc/php/7.0/fpm/pool.d/www.conf and then once more in /usr/lib/tmpfiles.d/php7.0-fpm.conf (this last bit may be Ubuntu/Debian specific, my thanks go to Keith for a comment on StackExchange).
And that was it! :-)
I have a batch file where I copy file from a different server. I have no issues running it on the server. But when I try to run it from a web application, the file does not copy. I keep getting access denied error. I have used xcopy, copy and robocopy.
I have provided full access to source and destination folder for all users.
No luck. Keep getting the same error :
copy /y \N01APW280\d$\Oracle\Middleware\user_projects\epmsystem1\diagnostics\logs\essbase\essbase_0\app\PLPLAN\PLPLAN.LOG D:\Hyperion\ERPI_Actuals_Load\Logs\
It is rather awkward to try and use a command-line utility, such as copy, from a web app; you should rather be using the programmatic abilities within your web application instead.
Aside from that, you main issue is that web apps are typically executed with very limited privileges, using local machine accounts that have no way of accessing administrative level shares on remote machines such as \N01APW280\d$. Another possible issue is that the local account that is being used by the web app cannot write to D:\Hyperion\ERPI_Actuals_Load\Logs\ folder. And finally, your app may have enough privileges to instantiate an external process such as copy.exe.
I'm trying to Rebuild my Search Index in Sitecore 5.3.1 using the Desktop interface. After processing several thousand nodes, I get an UnauthorizedAccessException with the following message:
RebuildSearchIndex|System.UnauthorizedAccessException: Access to the
path '...\WebSite\indexes\master\system\deletable' is denied.
Does anyone know how I could resolve this issue?
UPDATE: #Divamatrix has the answer, and all three steps are required. Giving Full Control to the IIS App Pool identity for the Website and Indexes folders resolved the UnauthorizedAccessException. I got an "unable to rename" error on the deleteable.new file until I gave IUSR read and Write permissions to the Index folder.
Without seeing more of the logs, it's hard to say for sure.. but please check these things. It sounds like there may be some permissions issues when it gets to trying to create or edit files as it's going through creating the indexes.
1)Please make sure that the app pool identity has full control rights to the website folder.
2)App Pool identity also needs rights to the indexes folder which is usually not in the website folder... its usually in the data folder. (However, you should also make sure that the app pool identity has full control of the website folder and its descendants - subfolders and files).
3)Please give READ\WRITE IIS security for /index folder.
I'm using Apache on Ubuntu. I have a Perl script which basically read the files names of a directory, then rewrites a text file, then sends a signal to a daemon. How can this be done, as secure as possible through a web-page?
Actually I can run a simplified cgi in the code below, but not if I remove the comments. I'm looking for advise considering any of:
Using HTTP Requests?
How about Apache file permissions on the directory shown in code?
Is htaccess enough to enable user/pass access to the cgi?
Should I use a database instead of writing to a file and run a cron querying the db with permission granted to write and send the signal?
Granting as less permissions as possible to the webserver.
Should I set a VPN?
#!/usr/bin/perl -wT
use strict;
use CGI;
##fileList = </home/user/*>; #read a directory listing
my $query = CGI->new();
print $query->header( "text/html" ),
$query->p( "FirstFileNameInArray" ),
#$query->p( $fileList[0] ), #output the first file in directory
$query->end_html;
Presumably, the error you're getting from the commented lines is a permission denied when trying to read the /home/user directory. The way to fix this is (surprise, surprise) to give the apache user[1] to read that directory. There are three primary approaches to doing this:
In most environments, there's
really no good reason to hide all
filenames within a user's home
directory, so you could make the
directory world-readable with chmod
a+r /home/user. Unless you have a
specific reason to prevent the
general public from knowing the
names of the files in the user's
home directory, I'd tend to
recommend this approach.
If you want to be a bit more
restrictive about it, you could
change /home/user to be owned by a
group which the apache user belongs
to (or add the apache user to the
group that currently owns
/home/user) and then set
/home/user to be group-readable.
This will make it accessible to all
members of that group, but not the
general public.
If you need to have standard
filesystem permissions applied to
web access, you can look at
configuring suexec so that
individual requests can take on
permissions of users other than the
apache user. This is normally the
user who owns the code which is
being run to handle the request
(e.g., in this case, the user who
owns your directory-listing script),
but, if you're using htaccess-based
authentication, it may be possible
to configure suexec to decide
which user's permissions to take on
based on what user you log in as.
(I avoid suexec myself, so I'm not
100% certain if this can be done and
have no idea how to go about it if
it can.)
[1] ...by which I mean the user that apache is running as; depending on your system config, this user may be named "apache", "httpd", "nobody", "www-data", or something else entirely.
I'm using MAMP-pro to serve my domain to the outside world.
I'm not a very experienced sys-admin, though I've slogged my way through a few basic things. I know what apache is, and I can read-most-of but not generate-without-guide related .conf files.
I've got a perl script which I've tested from the command line and it works (outputs as desired.)
When I try to access said script from the browser, I get 404.
I've tried placing the script at:
/Users/me/Sites/mydomain.com/htdocs/mycgi.pl
/Users/me/Sites/mydomain.com/cgi-bin/mycgi.pl
/Users/me/Sites/mydomain.com/htdocs/cgi-bin/mycgi.pl
and accessing it as:
http://www.mydomain.com/mycgi.pl
http://www.mydomain.com/cgi-bin/mycgi.pl
and all the various combinations, all to no avail (404.)
The script and its container directory have permissions 755.
So, what other steps am I missing? Are there any good set-up guides? I tried the MAMP-Pro manual, but it is filled with such information as "the cancel button cancels the current operation" and not really anything useful. Google turned up several hits that all seem to talk about how to make this work on localhost, but I'm trying to serve this to the outside world.
Any hints?
Thanks!
The official online documentation has a section on virtual hosts. When creating a host for www.mydomain.com you can choose the DocumentRoot which is called "Disk location" within MAMP PRO. If you still get a 404 error, take a look into the error_log for a more specific reason (i.e., where Apache tries to find the file in question).