Chown in scripts

In some cases, I utilize the copy() function to generate files and directories, while in other instances, I construct XML files in PHP and save them using DOMDocument::save. When safe mode is enabled, PHP verifies if the files or directories being manipulated have the identical owner as the executing script.


Question:

An update reveals that the issue is more complex than initially anticipated. I was simultaneously troubleshooting the reason behind the malfunction of my

mkdir

. It was due to the manual alteration of permissions for
parent directory
for testing purposes, followed by reverting them back and introducing a new

chmod

to the script. However, this code does not function as it is executed by

apache

and not myself. To avoid confusion, I will create a separate question to address the larger problem.


As a lab instructor at my university, I have been rewriting the assignment upload script provided by them. The existing script, which is written in python, is outdated and has bugs. Instead of modifying it, I have decided to write a new script in php.

There is an issue that I encountered with chown not functioning properly. The php scripts are executed under the user

apache

. I am uncertain if this user is considered ‘privileged’ or not, but the initial script utilized chown.

Can I conclude that

apache

possesses the necessary authority, indicating that my issue may lie elsewhere, or is this line of reasoning flawed?


The server belongs to the university, so they won’t allow me to modify any configurations. I believe they are running CentOS. Although there is no error message, I noticed that I can modify the file and change permissions, but the subsequent command (

chown

) doesn’t seem to have any impact.

In the display of the previous scripts,

ls -al

is shown.

-rwxr-xr-x 1 mattw labstaff 5067 Sep  1 17:52 File_Upload.cgi

The setuid bit does not appear to be enabled.

According to Stefan, the user apache probably lacks sufficient permissions to chown a file or folder that it does not own. I am trying to access the directory

chown

, which was recently created using

mkdir

, so it should be owned by apache. In this case, shouldn’t

chown

work regardless of privilege, considering that I already own the file?


Solution 1:

The ability for Apache to perform the specified action depends on the privileges it has in its current environment. Considering that you mentioned Apache is running under the user apache, I will make the assumption that it is either RHEL or a RHEL variant like Centos.
“””.

To grant apache the ability to sudo without a password within a specific directory, you can edit the sudoers file (using visudo). However, it is important to note that this is not advisable for those who prioritize security.

Adding something like

The user “apache” is granted permission to execute the command “/bin/chown 1[1-9][0-9][0-9]:1[1-9][0-9][0-9] /var/www/[a-zA-Z0-9]*” without the need for a password.

It is possible to include apache in a separate group, or add another user to the apache group, and then adjust the chmod to either 0775 or 0664.

To ensure effective troubleshooting, it is recommended to provide the code triggering the error, any accompanying error message, as well as specify the users and groups requiring access to the uploaded files.


Solution 2:


If the Apache user runs the old script and can execute

chown

, it might have the setuid bit enabled to enable it to run with higher privileges. If that is the case, your assumption would be incorrect.

Kindly provide the output of

ls -al /path/to/script

to verify. The output should indicate

root

as the owner and a

s

in its mode.

To activate setuid mode for the new script, ensure that

chmod u+s

is implemented. However, it is important to be aware of the potentially significant security risks associated with this. Specifically, it is crucial to never leave a setuid script or binary in a writeable state.


Solution 3:


It is probable that the user apache lacks sufficient permissions to chown a file/folder that it does not own. Granting apache additional rights is an option, although this may pose a security risk.

Frequently Asked Questions

Posted in Php