Allow apache / php user to access folder outside of web root

Question

(centos 5.8, php 5, apache 2.3, FMS 4.5)

Using Adobe Flash Media Server (FMS) recording from a webcam with a custom app works fine and the flv files are created in /opt/adobe/fms/applications/record/stream/definst

Play back of these files via rtmp works fine also and everything is cool. But I'd like to play these files back on an iOS device and iOS can't handle flash so they need to be converted to .mp4

One of the solutions I've found is to use ffmpeg to convert the .flv to .mp4 - and from the command prompt, this works fine

From a php script in my apache www root, using exec, shell_exec, or even system, it returns nothing and the .mp4 is never created

if i just do exec_shell("ffmpeg --help") it works and i get the output in the browser - so apache / php can execute ffmpeg just fine

So the problem is apache / php having access to either read the file outside of wwwroot or to turn around and write the new .mp4

I've tried to create a symlink in my wwwroot and use that for my path instead of the absolute path, allowed following symbolic links in the apache config but that didn't work.

I'm missing something here...

Ideas?

Ultimately I'd like the .mp4 file to be created somewhere in my www root folder so an iOS device can hit it via http

does the folder you want to write to have the correct rights? — Lucas Kauffman, Jul 23 '12 at 19:33
I've tried outputting the .mp4 to just the same folder my script was running in and the same happened. Looking at error_log - permission denied - which i guess is my question - permissions for who? the apache user or the FMS user? — lsiunsuex, Jul 23 '12 at 19:37
that's easily solved, just execute the command whoami and display the output, it will tell you who's executing the cmd. — Lucas Kauffman, Jul 23 '12 at 19:39
so whoami returns apache and groups returns apache fms - and the permission denied is when accessing the /opt/adobe/fms/.... — lsiunsuex, Jul 23 '12 at 19:50
the /opt/adobe/fms/... is owned by the FMS user FMS creates when its installed - thats my problem. how do I grant the apache user access to that folder also? — lsiunsuex, Jul 23 '12 at 19:57

score 1 · Answer 1 · answered Jul 23 '12 at 20:09

You can allow anyone read access to a folder with

chmod a+rx <foldername>

The execute bit is needed to enter the folder.

If you don't want anyone on the system to be able to access the folder you could add apache to the FMS group and set the folder to

chmod g+rx <foldername>

Lucas Kauffman · Answer 2 · 2012-07-23T20:33:23.300

To add Apache to the FMS group, do:

usermod -G FMS apache

Then make sure members of the group can execute, write and read to that folder:

chmod 770 /path/to/fmsfolder

Should FMS be used for other things, then I suggest you create a separate group webFMS and add FMS to that group as well and then just chown the folder to that group. This is more secure. If FMS only uses that folder, then don't bother.

Do mind you need to understand the risk involved, shell commands must be handled carefully for security reasons. Read the manual for correct escaping, especially when users can add things to them.

Allow apache / php user to access folder outside of web root

2 Answers2