Geek Answers Handbook

Differentiate each Apache user and give permissions

In the web application, I want to create a folder for each www-data user and grant write access only to this folder and only to this user.

AFTER VALIDATION I can do:

 mkdir($file->getPath().mt_rand(0,100000),0700);

This will create a new directory with a random name in the path $file->getPath() with all permissions for the owner. But this will give permissions to all www-data users.

If I create a chroot jail, I have to copy all the files again for each user, because I have to create many prisons (one for the user).

I'm crazy about this and don’t understand the solution.

+7
linux php apache permissions chroot
source share
3 answers

If I understand your question correctly, your problem starts with the linux interface / permission structure. So the user who owns the Apache process is the one that creates the dirs and files when it runs your script.

If you need to separate users into scripts, for example: you have different directories for different (virtual) hosts on your server, and you do not want the script of one host to act on the data of another host on the same server (apache), then you should use "mpm_itk_module" instead of the more common apache mpm-prefork file.

Using this, you can go and determine the user / group that apache uses when it executes any scripts and, for example, creates directories with this command for each virtual host entry in httpd.conf:

 <IfModule mpm_itk_module> AssignUserId USER GROUP </IfModule>

If you really want to create different directories from ONE execution script, you need the apache process to belong to root.root, and then the script needs to set permissions and owners for each directoy the way you want.

But it is never recommended to run even the best scripts on the web server as root, since you can not think about any risk.

The separation of user / rights in vhosts seems to me much more enjoyable.

Another point - only PHP - is suPHP → http://www.suphp.org

EDIT:

Well, I looked at your site, and even if I can’t speak Spanish, it looks like you have only one website, which is valid for different users who go all the time on this website. So, where is the separation of users on Linux file system permissions required? You can limit everything to your application without the need for file system users. Even if you give, for example, additional access to ftp, restrict it, for example. with proftpd he has his own chroot mech for different users.

You will need to take care of file system rights only if you cannot control who does what. This is a common problem on a multi-domain host that you could solve with the mpm_itk_module that I mentioned.

Maybe you should describe your situation a little more?

EDIT 2:

As the suggestion suggests, if you ONLY use apache to give users access to files for loading / manipulation, simply place the files outside the (!) Apache root directory tree and create a simple database to find out which file belongs to the user:

 user a | file parentdir/filename

It can be a simple table, and your php code gives the user a list from the database that he can see / manipulate, and your code does the work, as it was provided for by the user.

As long as you do not grant the user access to files by other services (ftp, ssh, etc.), there is no need to work with linux user rights at all. Just take care of placing the files outside the document on the server so that only your PHP code has access to the files with the apache user rights of your server.

EDIT 3:

Haha, now, finally, I had your problem after I read you a similar post: ( How can an Apache user write files with permissions to do this? ) In this case (with REALLY anonymous users on your web page ) you have NO CHANCE to solve this at all. Each visitor is treated as one without authentication. And, as I suggested in my last EDIT, and commented in a similar post: you don’t have to access Linux file permissions at all.

YOUR SOLUTION;): You need to perform file manipulations during one session with session identifiers while the user visits your page. Therefore, your code should handle the relationship between the visitor (session ID) and the file that he uploaded using this session ID. Using a session id that is valid as long as the visitor is online is the best way to do this. And again - there is no need for file system permissions ....;)

The second way is to use offline users, as suggested earlier: create a db table with users / passwords to enter the web page (and not the server) and another table that contains the user / file relationship. Then, after entering the web page, work with sessions again so that the user can access and manipulate already downloaded files.

+4
source share

I can run apache with mod_php. Thus, this means that your PHP instance is running under the apache instance and has apache USER and GROUP. You can create a folder and change the owner of this folder, but the owner must be a user on your system (not apache or the same virtual user).

But you can store in each directory file, for example, ".permitions" and place the virtual owner inthat file. Then you will need to filter each entry (delete, rename, etc.) to this directory and compare your virtual user and the user, which are stored in the .permitions file.

An example of a class (not complete, but more than enough to understand the idea):

 class UserDirs { private $path='/home/vusers'; public function mkdir($user){ $d = $this->path.'/'.md5($user); mkdir($d); file_put_contents($d."/.owner",$user); } public function checkOwner($user, $dirname){ $f = $dirname."/.owner"; $virtual_owner = file_get_contents($f); return $user === $virtual_owner; } } $d = new UserDirs() $d->mkdir("foo","bar"); echo $d->checkOwner("foo1","bar") === true ? "OK":"FAIL"; echo $d->checkOwner("foo","bar") === true ? "OK":"FAIL";

You can encapsulate everything you need in this class to work with UserDirs and extend the class depending on your requirement.

+3
source share

Your users do not have system accounts. It is probably also not possible to create these accounts. Therefore, I would recommend managing all of this through a web interface.

Continue to create your directories as is. The permissions are beautiful. However, your user interface must change to show only this user directory or files. I assume that you have a database associated with this page. Associate usernames and a randomly generated directory name with the user. If someone is trying to go the direct path and they are NOT the user associated with this directory, drop them back to the login screen.

To illustrate, I created an account called test and apparently got a unique directory. If I log out, I won’t be able to visit this directory because your code will see that

  • I am not registered and therefore do not have access to this directory.

If I had to log in as test2 and visit the test directory, your code should see that

  • I do not own the directory that is being visited, and therefore should be redirected as necessary.

You need to add a function that checks the directory that the user visited and compare it with the directory associated with the user. If they match, let them continue. If they do not match, redirect the user.

+2
source share

More articles:


All Articles