/    Sign up×
Community /Pin to ProfileBookmark

prob using CHOWN… help.

Copy linkTweet thisAlerts:
Oct 05.2004

I’m using chown, with a genuine user set up on the linux server. However, my script returns the rather useless error message ‘operation not permitted’. The target file has sufficient permissions also. It’s not having trouble finding the UID, just setting the chown. Any offers?

Thanks in advance.

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@NogDogOct 05.2004 — PHP normally runs as its own user (e.g.: "nobody"). I believe you can only do a chown on a file you own, or as the root "superuser". You may be able to get around this by changing the owner of the PHP file itself to that of the files to be changed (or to root) and set its permissions to include suid ("chmod 4755 file_name.php"). Just make sure you've taken into consideration what could happen if someone (either malicious or accident-prone) executes your script in such a configuration.
Copy linkTweet thisAlerts:
@mityaauthorOct 05.2004 — Thanks, Nog Dog. A few questions.

Firstly, this concept of 'super user' confuses me. I'm aware of user levels on the server itself, but what does it mean by 'you must be the superuser' to do this action? Surely when I'm browsing a webpage (i.e. my script) in a browser I'm no different to any other visitor around the world. In what capacity does it mean superuser?

Secondly, I'm aware of the security implications, but think I have it sussed. However, I'll briefly lay down what I'm doing so perhaps you could give me your opinion. It's a content management system for a school which works really well. I've set up a userbase with varying levls of access, but what I'd like to do is allow teachers to 'stamp' files they've uploaded as theirs, so they can't be modified by others. I thought if I set them up a user account on the linux server this would be possible, but it obviously means they'd have to be able to run the chown command. Does this all sound dangerous? I might scrap the 'this is my file' feature if so.

Thanks again.
Copy linkTweet thisAlerts:
@NogDogOct 05.2004 — "Superuser" pretty much means what it sounds like: a user who can do anything. Normally on Unix/Linux systems this is only the "root" user account.

Anyway, if I were doing what I understand from your description, I probably would not bother with using the operating system file ownership stuff (again, based on my current understanding and subject to change without notice ? ). Instead, I would create a datbase table that for each file would have pertinent info such as file name, file owner, date uploaded, etc. Then I would use database queries to add and modify those records as needed.

Then, as an example, if a user wanted to do something to a file which you've deemed can only be done by the file "owner", you could query the database to see if the current user is the file's owner, then proceed accordingly. (Additionally, you might have a user table, and certain users - such as yourself? - might have an "admin" role that lets you override the file ownership restriction.)
Copy linkTweet thisAlerts:
@yunaOct 05.2004 — Here's a quick summary of how things work on a Linux box running Apache and PHP:

1) httpd is started by the "root" user. The root user can do just about anything to any file, anywhere. In particular the server needs root permissions for things like binding to HTTP "port" 80 (only root can bind to ports < 1024), opening the log file in a directory like /var/log, etc.

2) Once startup happens, the original instance of httpd spawns a number of child processes that actually listen on port 80 for incoming requests. These processes all run as an ordinary user with limited privileges. On most Linux boxes, this user will be called "httpd" or "apache" or "nobody". PHP scripts are executed by this user, not by the root user. I'll call this user "apache" in the rest of this comment.

3) The apache user can only read and write files for which it has appropriate permissions. Any file created by a PHP application will be owned by the apache user, and it can only be placed in a directory to which the apache user has write privileges (usually there aren't many of these!). So even if "teacher" is a valid account on the server, any files created by "teacher" via a web server application will be owned by "apache".

4) NogDog has the right answer here. Manage permissions through a database. You can still use the file system to store the files created, though. Just create a directory structure owned by the web server user (e.g., "apache") where the files will be stored by the script. chmod the directory to 0700 and the files to 0600, so only the apache user can read and write them. Then when "teacher" logs in, use the database to determine which files belong to teacher, read them off the filesystem, and display them for editing.
Copy linkTweet thisAlerts:
@mityaauthorOct 06.2004 — Thanks for that guys. I fully understand the concept of superuser, I just didn't understand in what capacity there was a user system when browsing scripts in a browser.

The database option is the obvious method, I was just seeing if I could avoid it with in-built mechanisms. Thanks again for the info.
×

Success!

Help @mitya spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.2,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,
)...