What permissions are needed to run a system() command within a php script that writes to a folder?

Question

I've got a php script which has the line:

system("ffmpeg -i ......");

The output folder is set to be:

drwxrwxr-x  5 apache apache   4096 Oct 19 07:40 in_upload

If I run the exact text "ffmpeg -i ......" from the prompt as root, it works fine.

But if the script is run, only a zero sized file is created. Any ideas on what could be wrong?

Edit 1

I think I've localized the problem to selinux

I tried the solution recommended in http://www.php.net/manual/en/function.system.php#94929 :

<?php
function my_exec($cmd, $input='')
         {$proc=proc_open($cmd, array(0=>array('pipe', 'r'), 1=>array('pipe', 'w'), 2=>a$
          fwrite($pipes[0], $input);fclose($pipes[0]);
          $stdout=stream_get_contents($pipes[1]);fclose($pipes[1]);
          $stderr=stream_get_contents($pipes[2]);fclose($pipes[2]);
          $rtn=proc_close($proc);
          return array('stdout'=>$stdout,
                       'stderr'=>$stderr,
                       'return'=>$rtn
                      );
         }

echo "1 ";
echo shell_exec('ls');
echo "\n2 ";
my_exec('ls');
echo "\n3 ";
my_exec('/bin/ls');

?>

Output was:

1 
2 
3

Edit 2

AFTER disabling selinux, I got the following results:

echo "1 ";
echo shell_exec('ffmpeg');
echo "\n2 ";
echo system('ffmpeg');
echo "\n3 ";
echo exec('ffmpeg');
===> None worked

echo "1 ";
echo shell_exec('/usr/bin/ffmpeg');
echo "\n2 ";
echo system('/usr/bin/ffmpeg');
echo "\n3 ";
echo exec('/usr/bin/ffmpeg');
===> None worked

echo "1 ";
echo shell_exec('ls');
echo "\n2 ";
echo system('ls');
echo "\n3 ";
echo exec('ls');
===> All 3 worked as expected.

Edit 3

php script:

echo "1 ";
echo shell_exec('touch test1.txt');
echo "\n2 ";
echo system('touch test2.txt');
echo "\n3 ";
echo exec('touch test3.txt');

error_log:

touch: cannot touch `test1.txt': Permission denied
touch: cannot touch `test2.txt': Permission denied
touch: cannot touch `test3.txt': Permission denied

php script:

echo "1 ";
echo shell_exec('/bin/touch test1.txt');
echo "\n2 ";
echo system('/bin/touch test2.txt');
echo "\n3 ";
echo exec('/bin/touch test3.txt');

error_log:

/bin/touch: cannot touch `test1.txt': Permission denied
/bin/touch: cannot touch `test2.txt': Permission denied
/bin/touch: cannot touch `test3.txt': Permission denied

php script:

echo "1 ";
echo shell_exec('/bin/touch /var/www/html/beta/test1.txt');
echo "\n2 ";
echo system('/bin/touch /var/www/html/beta/test2.txt');
echo "\n3 ";
echo exec('/bin/touch /var/www/html/beta/test3.txt');

error_log:

/bin/touch: cannot touch `/var/www/html/beta/test1.txt': Permission denied
/bin/touch: cannot touch `/var/www/html/beta/test2.txt': Permission denied
/bin/touch: cannot touch `/var/www/html/beta/test3.txt': Permission denied

What are the permissions on ffmpeg? Have you tried specifying the absolute path to ffmopeg instead of relying on detection at runtime? does your webserver run chroot? — symcbean, Oct 20 '10 at 14:05
....and what happens when you try to run it using 'su apache -c ffmpeg -i ....' — symcbean, Oct 20 '10 at 14:06
Apparently I can't su into apache... I do have apache as a user though — siliconpi, Oct 21 '10 at 08:16
When you say "None worked", did you pass it actual arguments so as to see if it would convert? — Ignacio Vazquez-Abrams, Oct 25 '10 at 07:57
Apologies - the query has "changed" somewhat from the original. I'm able to run only the ffmpeg program, but its output comes only in the error_log. If I pass parameters, it gives a permission denied error. So I am testing with touch as shown in Edit 3. — siliconpi, Oct 25 '10 at 08:04
Does the user the web server is running as have permissions to write to that directory? Also, I don't get notification of responses unless you prefix the comment with "@Ignacio:". — Ignacio Vazquez-Abrams, Oct 25 '10 at 08:11
@Ignacio - Sorry about that, didnt realize! About the permissions, the site and its files are all as root, but apache is the webserver. To what should i give permissions to apache? Just the key folder that the "script" is in, or the "destination" folder where the file should be created? — siliconpi, Oct 25 '10 at 08:14
`/var/www/html/beta` should be writable by the web server user. — Ignacio Vazquez-Abrams, Oct 25 '10 at 08:16
@Ignacio - changed it to the following, but it didnt help - drwxrwxr-x 19 apache apache 12288 Oct 25 08:20 beta — siliconpi, Oct 25 '10 at 09:24

score 1 · Answer 1 · answered Oct 20 '10 at 13:28

1

A few random thoughts:

How long does your ffpmpeg command takes ? if it takes longer than the value of max_execution_time in php.ini, I believe that the command is canceled.
try to use only full paths for the ffmpeg binary and the input/output files. Although, if you have a zero size file outputted, it shouldn't be that.
Does apache have the permission to run the ffmpeg binary ?
try a basic command in your system call, such as "touch test.txt" just to check if the problem is from ffmpeg or your php script.

answered Oct 20 '10 at 13:28

Julien Vehent

2,927
18
26

I dont think (1) is a problem. I've set the max_exec time to 5 mins. (2) ffmpeg is in the system path (3) I'm not sure! How do I test that? (4) you're right - this did NOT work - no file was created. – siliconpi Oct 21 '10 at 09:25
(1)is 5 minutes enough to encode your video ?. (3) what does "ps -edf|grep apache" returns ? the first column is the name of the user that runs apache, try to use it with "su -c ffmpeg...". (4) this is a coding problem. can't help here. – Julien Vehent Oct 21 '10 at 10:09
ps -edf... returns: apache 19394 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19395 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19396 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19397 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19398 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19399 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19400 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd apache 19401 9134 0 10:07 ? 00:00:00 /usr/sbin/httpd root 19960 16055 0 10:28 pts/1 00:00:00 grep apache – siliconpi Oct 21 '10 at 10:29
I can't su apache... it says: This account is currently not available. – siliconpi Oct 21 '10 at 10:29
doesnt work either – siliconpi Oct 21 '10 at 10:41
Looks like 'apache' isnt allowed to do system() queries... how do i go about fixing that? – siliconpi Oct 21 '10 at 10:42
The system("ls..") command shows the following in error_log: "sh: ls: command not found" – siliconpi Oct 21 '10 at 10:55
Once again, try with the full path of the command. Probably /bin/ls. If it fails, then I believe you are running in a chroot and thus you must copy the relevant binary and linked libraries to your chroot before working with them. – Julien Vehent Oct 21 '10 at 12:22

score -1 · Answer 2 · answered Oct 22 '10 at 03:37

-1

It was a permissions issue, I had selinux enabled. By changing the setting in /etc/sysconfig/selinux

From: 
SELINUX=enforcing

To:
SELINUX=disabled

The system() commands started working

answered Oct 22 '10 at 03:37

siliconpi

1,707
6
30
45

Whoops! Spoke too soon... see edit2 – siliconpi Oct 22 '10 at 10:31
under no circumstances should you ever make this a permanent fix. – Erik Nov 18 '20 at 19:54

What permissions are needed to run a system() command within a php script that writes to a folder?

2 Answers2

Linked