PHP exec()

[tgavin]

I have a php script that creates directories and sets the permission. Now I need to have that script set the owner and group of that created dir from 'nobody' to the site's owner.

When I run the following, I don't receive any errors, but it also doesn't change the owner. How can I get this to work? Is there something within cpanel that I need to disable?

$user  = "username";
$path  = "/home/".$user."/public_html/media/";
$own = "chown -R ".$user." ".$path."";
$own = escapeshellcmd($own);
exec($own);
if(!$own) {
     die("Can not change ownership on the folder.");
}

 

[BianchiDude]

That wont would you need to be root to do that.

You best bet is too set a cronjob that does that.

 

[tgavin]

That wont would you need to be root to do that.

You best bet is too set a cronjob that does that.

Thanks for your reply. A cronjob won't work for me. This is written for a customer, who will only use this script once in a while. Not very often. If I were to set up a cronjob it would have to run all the time, to anticipate when they're going to run this script. Unless you know of a way for php to set and delete a crontab.

Also, it just seems odd to me that php would have these functions if they only worked with a cronjob, or as root.

 

[RickG]

The issue is that the PHP process doesn't have sufficient privileges to change the file ownership. Are you using PHPSuExec? If so, wouldn't the files automatically be created as the site owner (rather than nobody)?

 

[tgavin]

The issue is that the PHP process doesn't have sufficient privileges to change the file ownership. Are you using PHPSuExec? If so, wouldn't the files automatically be created as the site owner (rather than nobody)?

How can I tell if I'm using PHPSuExec? Is there a way to just enable/disable it for that one domain using .htaccess?

 

[chirpy]

No, it's a server-wide setting. If files are being written from php scripts with the user nobody then you're not running phpsuexec.

 

[tgavin]

No, it's a server-wide setting. If files are being written from php scripts with the user nobody then you're not running phpsuexec.

Well, I guess the next questions is "Do I want to run phpsuexec?" Yes? No? Why?

 

[NightStorm]

Security-wise? HECK YES. It assures that any file written to the server is given permissions for the proper owner, instead of "nobody". This includes any files that are dropped into /tmp by php exploits. it also further locks down the security to help prevent writing to directories that do not belong to you... if you drop a file owned by user1:user1 into directory /home/newuser/public_html, Apache will not allow it to run (it's owned by the wrong person). It will also make sure that user1 can not write to any file owned by newuser... with server-created files owned by nobody, technically, any other user can write to it as well, since the ownership is the same.
Downside? No more 777 directory permissions. 755 is the best it gets... but since the file ownership is fixed, this is good enough. Any of your users that have 777 will need to step it down, though. No php flags can be written into htaccess, either, so any custom php settings for an account will need to be written into a php.ini file, and dropped in each folder it needs to affect. This is a downside, but a small one, in the grander scheme of things.
Just imagine. Someone exploits your server, and drops a perl file into your /tmp directory by using something like the phpBB exploit. Without phpSuExec, this file is owned by nobody:nobody, and you get to spend the next few hours going through logs to find out who's account was exploited by this. With phpSuExec, the ownership of the file will tell you right away who's account it came from.

 

[tgavin]

Thanks for the explanation!

For this one account in question, I have some custom settings. PHP files are running with .html extensions (the site was redesigned/rebuilt with php, but we wanted to keep the search engine links in place). There is also a custom CMS written in php that allows for file uploads into directories chmod'd 0777.

With phpsuexec on, will I be able to upload into directories with perms set to 0755?
Will I need to create a php.ini file for the .html extension? If so, how would I do that? Could I just do that server-wide, instead of on a site-by-site basis?

Thanks to all for your help!

 

[NightStorm]

phpSuExec is serverwide, unless you manually compile a second build and run it independantly alongside.
Yes, you will be able to upload, so long as the directory has the proper ownership permissions (username:username).
The extension would not make a difference, so long as Apache still knows to handle html extensions with the php exec. Another option you could make, of course, would be to use a htaccess mod_rewrite to forward all *.html to *.php for that domain. This would solve the search-engine problem.
How exactly does php know to handle the html extension? Is it hardcoded into your httpd.conf file, or added into an htaccess?

 

[tgavin]

How exactly does php know to handle the html extension? Is it hardcoded into your httpd.conf file, or added into an htaccess?

It's added into .htaccess at the site's root. How would I hardcode it into httpd.conf?

 

[NightStorm]

In httpd.conf, with AddHandler. It'd look something like this:

AddHandler application/x-httpd-php .php .php4 .php3 .html

But, same with phpSuExec, this would be a global thing.

 

[tgavin]

Thanks so much for all of your help!