Permissions: What's the right way to give Apache more user permissions?
Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I've written to process various kinds of data for a project. It's a "one stop shop" for managing data for this project.
I've made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!
Now the problem I'm having: I have an index.php which works fine, except the default apache user (which on my machine is called "_www") seemingly doesn't have permissions to run some of my scripts.
So when I do:
<?php
echo `ls`;
echo `whoami`;
echo `/Path/To/Custom/Script.sh`;
?>
I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.
Finally, my question: What's the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?
permissions php apache-httpd
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
add a comment |
Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I've written to process various kinds of data for a project. It's a "one stop shop" for managing data for this project.
I've made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!
Now the problem I'm having: I have an index.php which works fine, except the default apache user (which on my machine is called "_www") seemingly doesn't have permissions to run some of my scripts.
So when I do:
<?php
echo `ls`;
echo `whoami`;
echo `/Path/To/Custom/Script.sh`;
?>
I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.
Finally, my question: What's the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?
permissions php apache-httpd
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
add a comment |
Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I've written to process various kinds of data for a project. It's a "one stop shop" for managing data for this project.
I've made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!
Now the problem I'm having: I have an index.php which works fine, except the default apache user (which on my machine is called "_www") seemingly doesn't have permissions to run some of my scripts.
So when I do:
<?php
echo `ls`;
echo `whoami`;
echo `/Path/To/Custom/Script.sh`;
?>
I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.
Finally, my question: What's the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?
permissions php apache-httpd
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I've written to process various kinds of data for a project. It's a "one stop shop" for managing data for this project.
I've made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!
Now the problem I'm having: I have an index.php which works fine, except the default apache user (which on my machine is called "_www") seemingly doesn't have permissions to run some of my scripts.
So when I do:
<?php
echo `ls`;
echo `whoami`;
echo `/Path/To/Custom/Script.sh`;
?>
I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.
Finally, my question: What's the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?
permissions php apache-httpd
permissions php apache-httpd
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
edited 2 hours ago
Rui F Ribeiro
39.6k1479132
39.6k1479132
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
asked Mar 14 '11 at 17:56
Cameron BrownCameron Brown
1283
1283
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
add a comment |
To answer your question, it's better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom
setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom:
ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
answered Mar 15 '11 at 16:44
frielpfrielp
19146
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9241%2fpermissions-whats-the-right-way-to-give-apache-more-user-permissions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
add a comment |
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
add a comment |
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
edited Mar 15 '11 at 0:31
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
answered Mar 14 '11 at 18:22
Shawn J. GoffShawn J. Goff
29.6k19110134
29.6k19110134
add a comment |
add a comment |
To answer your question, it's better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom
setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom:
ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
answered Mar 15 '11 at 16:44
frielpfrielp
19146
add a comment |
To answer your question, it's better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom
setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom:
ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
answered Mar 15 '11 at 16:44
frielpfrielp
19146
add a comment |
To answer your question, it's better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom
setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom:
ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
answered Mar 15 '11 at 16:44
frielpfrielp
19146
To answer your question, it's better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom
setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom:
ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
answered Mar 15 '11 at 16:44
frielpfrielp
19146
answered Mar 15 '11 at 16:44
frielpfrielp
19146
answered Mar 15 '11 at 16:44
frielpfrielp
19146
answered Mar 15 '11 at 16:44
frielpfrielp
19146
19146
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9241%2fpermissions-whats-the-right-way-to-give-apache-more-user-permissions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
