4

First of all, I'm sorry about my bad English, I'm not a native speaker.

I'm using PHP with FCGI, so each one of my virtual hosts run their php scripts as different users.

I needed to share a php class between two of the virtualhosts (user1 and user2), so I decided that adding user2 to user1 group in /etc/group would be a good idea to accomplish that. I did that, and then I tested that the group permissions were working fine with the following command:

su user2
cat /home/user1/shared_class.php

and it worked fine (user2 accessed user1 class just fine).

But PHP didn't seem to recognize that same permission. I saved the following script in user2 virtual host for testing and ran from the browser:

<?php
passthru('whoami');
passthru('cat /home/user1/shared_class.php');
?>

and that returned the correct username ('user2') but not the content of shared_class.php. If I try to require_once('/home/user1/shared_class.php') I also get an "Access Denied" error. So it's clear that PHP thinks 'user2' does not have permission to access shared_class.php.

Another test I did was to run

su user1
chmod o+r /home/user1/shared_class.php

After that last chmod, the 'user2' PHP script could read the file just fine, so I'm certain it's not folder restrictions (open_basedir or some other directive), it's just PHP ignoring /etc/group.

Is this expected? Is there any way to accomplish that?

The workaround I'm using right now was to

su user1
chown user1:user2 /home/user1/shared_class.php

That way, user2 can access the file just fine from php, but I'd like to be able to share the files without having to change the chown settings manually, that is, using /etc/group and adding user2 to user1 group.

Thanks.

pagliuca
  • 1,129
  • 13
  • 19
  • 1
    I do not think PHP does setuid but it is from fastcgi/apache. I have seen same kind of behaviour before - the additional groups from /etc/group get ignored. If possible try switching the main group from /etc/passwd. Otherwise use world-writable. – Antti Rytsölä Feb 07 '13 at 18:20

1 Answers1

0

The first thing i would check would be SELinux settings (if there are any) you can check this by running

getenforce

Note: that chown user1:user2 changes the user ownership to user1 and group ownership to user2, it doesn't stack the user's in the permissions.

And: the user needs to have +x on the directory to be able to traverse it :)

PHP CGI will run as whoever you tell it to, Most PHPCGI services i have used will allow you to specify the group of the process as well.

I would suggest:

  1. Create a group called phpcgi
  2. make the user1 & user2 primary groups phpcgi
  3. change the CGI process to run as phpcgi
  4. For files:
    1. set ownership to %USER%:phpcgi
    2. chmod 0660
  5. for folders:
    1. set ownership to %USER%:phpcgi
    2. chmod 0770

then restart everything and try it again :)

Adam Purdie
  • 502
  • 5
  • 14
  • Thanks for your time on answering my question. I don't think it solves my problem, though. Here are a few comments: 1) I know that permissions are replaced, and not added up. 2) Folder permissions are correct (see that I tested for that in my question). 3) If I understood well, your method would result in something similar to my work-around method. 4) It does not solve the problem of php ignoring /etc/group, as primary groups would have to be changed. – pagliuca Feb 27 '13 at 01:53
  • 1
    Fair enough :) i've done this and had it working, all files that were written by the CGI were readable from user folders and all user files for users that shared the group of the CGI were accessible from the web. – Adam Purdie Mar 06 '13 at 03:44