Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th September 2012, 16:06
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default PHP: Permissions Denied while reading directories or writing files

I'm not quite sure how to describe the problem, but I guess it has something to do with the settings in the ISPConfig-Backend concerning PHP and open_basedir.

For instance, I get the following messages when performing filesystem-operations:

Code:
//creating a directory
mkdir(): Permission denied

//writing a file
file_put_contents(..filename..): failed to open stream: Permission denied

//reading a directory
opendir(...path...): failed to open dir: Permission denied

//using curl
curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set
In ISPConfig, PHP is set to Fast-CGI and open_basedir contains the following entries:
Quote:
/var/www/clients/client1/web5/web:
/var/www/clients/client1/web5/tmp:
/var/www/mydomain.tld/web:
/srv/www/mydomain.tld/web:
/usr/share/php5:
/tmp:
/usr/share/phpmyadmin:
/etc/phpmyadmin:
/var/lib/phpmyadmin:
/usr/share/php
My applipaction is running in /var/www/clients/client1/web5/web/my_application/

So, how can I configure ISPConfig to let PHP read/write to the filesystem? Is it possible (or wise) do disable open_basedir or safe_mode? Or is this not the problem?

Thanks in advance!
Reply With Quote
Sponsored Links
  #2  
Old 25th September 2012, 20:34
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir?

If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 26th September 2012, 10:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,333 Times in 4,184 Posts
Default

Ensure that you enabled the suexec checkbox in the site settings, without suexec you cant write to the file system of the site.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 26th September 2012, 10:36
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

@falko
> Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir?
- No, it just writes to .../my_application.

> If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok?
- I think so, they are set to drwx--x--- - which seems quite normal to me, I guess.

@till
> Ensure that you enabled the suexec checkbox in the site settings...
- Yep, it is checked.


What might me interesting though:
From an ISPConfig-perspective, I have several sites (web3, web4, web5) of one client (client1). All the sites share one web-directory with the my_application/-folder in it (web1).

So my actual filestructure is:
Quote:
--- the real path to my_application ---
/var/www/clients/client1/web1/web/my_application/

--- symbolic link from my_site.tld1 (owned by web5) to the common web-directory (owned by web1) ---
/var/www/my_site.tld1/web -> /var/www/clients/client1/web1/web/
But since both web1 and web5 belong to the same group (client1), there should be no problem, right?
I have also tried adding /var/www/clients/client1/web1/web: to the open_basedirs, but that did not help either.
Reply With Quote
  #5  
Old 26th September 2012, 11:56
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,333 Times in 4,184 Posts
Default

Quote:
From an ISPConfig-perspective, I have several sites (web3, web4, web5) of one client (client1). All the sites share one web-directory with the my_application/-folder in it (web1).
This explains the problem, each site runs under its own user, so you can not share a directory if a script shall be able to write to the filesystem. The files and folders have to be owned by the user of the website that runs the script, not the group. The group exists only for the apache server to get read access to server images and plain html files without scripts.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 26th September 2012, 12:06
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

@till
Thanks for the clarification.

But is there no way to make this setup run anyway?
I want all my sites to use this one application and I want it to be in one common directory, so I don't have to deploy changes to the web-directory of each site.
Can't I just turn off the open_basedir restrictions somehow? Or would that tear a big security hole in my server?
Reply With Quote
  #7  
Old 26th September 2012, 13:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,333 Times in 4,184 Posts
Default

The problem is not the open_basedir restriction, the problem are the file permissions which do not allow the scripts to write to the filesystem.

What you can try is this, it is not secure and I wont use it on my servers:

1) Change php mode to mod_php
2) Change the "web" directory and subdirectorys were all files of this site are stored to the user and group of the apache server, e.g. www-data on a debian or ubuntu system.
3) Add the directory were the files are stored to the open_basedir setting of all sites.
4) Disable the option that permissions of sites get set on update under System > server config > web


Quote:
Or would that tear a big security hole in my server?
I wont disable it on a server that is connected to the internet.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 26th September 2012, 14:27
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

@Till
Thank you very much for your elaboration!

I guess I understand your approach to make it work and why this would be a security risk. Since my server sure is connected to the internet and - even worse - dealing with sensistive customer data, this probably would not be an appropriate solution in my case.

So, basically, there is no way of dealing with different top-level-domains and an application outside of their own web-folder in ISPConfig (except at the expense of security), right?
That's way too bad... And it's really hard to believe that I'm the only/first one who bumped into this problem

Thank you very much for your effort!
Reply With Quote
  #9  
Old 26th September 2012, 14:36
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,333 Times in 4,184 Posts
Default

Quote:
So, basically, there is no way of dealing with different top-level-domains and an application outside of their own web-folder in ISPConfig (except at the expense of security), right?
Thats right, but not limited to ispconfig. Every server controlpanel that would allow you the configuration that you wanted to do has the same security risks then the setup that I described above, so this is not ispconfig specific. The only difference to other panels is is that ispconfig tries to enforce a secure setup out of the box while other panels might allow you the above configuration without informing you about the risks.

If you want to use several domains on the same cms system, you would use a aliasdomain in ispconfig and dont create a new website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 26th September 2012, 14:50
Quasdunk Quasdunk is offline
Junior Member
 
Join Date: Sep 2012
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

@Till
Thanks, that actually makes sense

To be honest, I wasn't quite aware of your suggested option of creating aliases for a website. But after a closer look at it, this looks like a step in the right direction!

But:
  • I have an SSL-certificate for each domain. Will it be possible (or necessary after all) to install SSL-certificates for the aliasdomains of my main website/domain?
  • Will it have any effect on sending/receiving emails to/from those separate domains?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
WebDAV doesn't start - DAVLockDB not created - error 405 Method not allowed maljam Server Operation 2 23rd March 2011 16:06
Apache not restart after change php mode wiss Installation/Configuration 15 3rd November 2010 15:43
Webmin upgrade lishaw1968 Installation/Configuration 15 26th August 2010 15:23
Problem with services!! banzaiwebstudio.com Installation/Configuration 7 19th May 2010 21:13
ispconfig php 5 errors itamarjp Installation/Configuration 8 25th April 2008 10:20


All times are GMT +2. The time now is 20:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.