2

I've got a PHP script that creates a folder on my server. This folder is supposed to be accessed via Apache, and users can view it online.

Now if I create this folder while being root, everything works as it should, I can view the html/php when going on the website.

If I create this folder while being the user Apache (or running my script), I can create the folder, put all the files inside but when I got on my webpage, it displays:

You don't have permission to access / on this server.

Now I don't know that much about Apache, but for me the easiest solution is to give ownership of my folder to root. I try typing:

chown root:root /blabla/myfolder

and it writes:

chown: changing ownership of 'myfolder/': Operation not permitted

Why is that ?

Thank you

xtrimsky
  • 123
  • 1
  • 3
  • 12

2 Answers2

3

Others seem to be answering your implied question of "how do I fix that?", and doing a good job of it, so I thought I'd answer your actual question of "why is that?".

Disclaiming a file via chown, that is, chowning it to some other user, is forbidden to all non-root users for good reasons. Consider the following sequence:

cp /bin/bash ~/naughty

Now you have a copy of bash in your home directory. You own it. No big deal.

chmod 4755 ~/naughty

Now you have a copy of bash which can be run by anyone, and anyone who runs it will become you, because you have set the SUID bit on the binary, and you own the file. Not so good.

chown root:root ~/naughty

Congratulations, you just rooted your system; you have a copy of the shell which is SUID to root and can be run by anyone.

There are other reasons why the power to disclaim a file is bad, eg it messes with disc quotas if anyone can create a big file then give it to another user. But the killer reason is the one above, and the only way to plug that hole (without getting rid of SUID, which is a lovely idea but hard to do) is to say that noone who is not root may give a file to another user.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thanks! Even thought technically the other answer is what I really need right now, I find it more important to understand why it is working this way to understand more the core of linux :) – xtrimsky Dec 05 '11 at 17:41
1

You do not need to change owner and group to root on the folder nor you can. You can, however, give read permissions on group and other with:

chmod go+r foldername

Example:

yvaine:~ rilindo$ ls -la | grep test
drw-------    2 rilindo  staff        68 Dec  5 01:10 test
yvaine:~ rilindo$ chmod go+r test
yvaine:~ rilindo$ ls -la | grep test
drw-r--r--    2 rilindo  staff        68 Dec  5 01:10 test

However, if it is a empty folder, it is possible that directory browsering is disabled in Apache by default. In that case, you can add or modify someplace in your stanza:

Options +Indexes

Note that it is generally best practice to disable directory browsing unless there is a good reason for it.

Rilindo
  • 5,058
  • 5
  • 26
  • 46
  • 1) The directory is not empty, that is not the problem. 2) I have already tried applying chmod 777 on the folder using apache, and the webserver still cannot display the folder. Same if I apply 777 to every file in the folder. Can it be something else ? – xtrimsky Dec 05 '11 at 17:38
  • Then its the web server configuration, as I noted. Here is the more information this (http://httpd.apache.org/docs/1.3/misc/FAQ.html#indexes). Its Apache 1.3, but the configuration hasn't changed too much. If you need more information, here is another URL: http://www.besthostratings.com/articles/prevent-directory-listing.html – Rilindo Dec 05 '11 at 17:53
  • Ok so by default it was at: `Options -Includes -ExecCGI` I've changed it to just `Options +Indexes` but still doesn't change anything. Also my configuration is passing through symbolic links, that shouldn't be a problem no ? I'm using symbolic links to keep all versions of the website and linking the version I want to use to the folder! I've tried using +FollowSymLinks but doesn't change anything. anyways if its root who does everything it works, just not folder created by apache. – xtrimsky Dec 05 '11 at 23:47
  • FollowSymLinks is the right option. If the symlinks are owned by root, that may be a problem, even if they fully readable. I suggest recreate the symlinks under the apache instead. What does /var/log/httpd/error_log say? – Rilindo Dec 05 '11 at 23:52
  • 1
    Oh I was watching the wrong error log... Found out this website has another error log. Now it says: Symbolic link not allowed or link target not accessible: /var/www/vhosts/***/httpdocs . Now that I have the error logs I'll be able to try a few more things thank you ! Will keep you updated in the next few hours. – xtrimsky Dec 06 '11 at 00:20
  • 1
    yes so one of my symbolic links was not made by apache. Thank you! – xtrimsky Dec 06 '11 at 02:34