0

i'm stuck & need help understanding file create permission for members of group.

in php, i want to fopen / create a file in a folder that is owned by mysql:mysql (for importing data into mysql)

folder -ld 

drwxrwx--- 2 mysql mysql 4096 Dec 14 14:33 /var/lib/mysql-files

php runs as user www-data

i added 'www-data' user into group 'mysql'

sudo usermod -a -G groupName userName

verified

sudo groups www-data
    www-data : www-data mysql

it appears my php user account 'www-data' has write permissions to the folder through group membership, but I get an error 13 'permission denied'.

while typing this question, a similar question (https://serverfault.com/a/534000/65092)

had an answer that the parent folders (/var and /var/lib) need to have 'x' permissions for the user or group, I understand that to mean:

php user 'www-data' needs to be able to look inside /var , to read /lib , to read /mysql-files . 

/var = drwxr-xr-x 16 root root 
/var/lib = drwxr-xr-x 62 root root

and it appears this is already enabled.

any suggestions or comments? thanks.

Community
  • 1
Steve Wasiura
  • 131
  • 1
  • 9
  • Check http://serverfault.com/questions/477877/unix-overwriting-a-file-written-by-another-user-in-same-group – MikeVelazco Dec 14 '16 at 21:55
  • MySQL only needs to be able to read the file, for a `LOAD DATA INFILE` bulk load. You do not need to write it in a directory that MySQL owns; `/tmp` would suffice. – Michael Hampton Dec 14 '16 at 22:03
  • @MikeVelazco thanks, i used setgid, but it did not solve the issue, however reading more about umask, led me to setfacl, and ultimately to a solution, which i will explain in my answer below. – Steve Wasiura Dec 15 '16 at 16:11
  • @MichaelHampton mysql has --secure-file-priv option ON, therefore I must write the "data-to-be-imported" file in that specific folder. – Steve Wasiura Dec 15 '16 at 16:13

1 Answers1

0

Solution:

I applied Mike's suggested link solution of 

sudo chmod g+s /var/li/mysql-files

(which is supposed to set the group id of any new created files equal to the group of it's parent folder), but I was still unable to create a file in that folder using php.

Upon further reading, I learned that permissions are applied after login (duh, of course), but since user www-data did not have a password and cannot login, I needed to reboot the server, to see if the new permissions would take affect.

Next I tested the file creation thru php from a terminal, but it still did not work. I soon realized the cli of php was launched from my user account on the terminal, therefore it was not running as user www-data, therefore permission denied. I launched php from the terminal to run under user www-data by sudo -u www-data php -a and Viola! the file was created.

checking the file permissions after creation, the owner was www-data, the group was properly set to the group of it's parent folder, however the write permission was not set. Further reading about umask led me to use sudo setfacl -d -m group:mysql:rwx /var/lib/mysql-files (to setup an access control list to enable write permission for the group for new files created in the folder. it appeared the write permission of the folder was already enabled for groups, so I'm not sure why this extra step was needed.)

A further test from the command line running php as user 'www-data' passed.

A test using the full php script passed.

Thanks!

Steve Wasiura
  • 131
  • 1
  • 9