PHP: Permissions Denied while reading directories or writing files

Discussion in 'Installation/Configuration' started by Quasdunk, Sep 24, 2012.

  1. Quasdunk

    Quasdunk New Member

    I'm not quite sure how to describe the problem, but I guess it has something to do with the settings in the ISPConfig-Backend concerning PHP and open_basedir.

    For instance, I get the following messages when performing filesystem-operations:

    //creating a directory
    mkdir(): Permission denied
    //writing a file
    file_put_contents(..filename..): failed to open stream: Permission denied
    //reading a directory
    opendir(...path...): failed to open dir: Permission denied
    //using curl
    curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set
    In ISPConfig, PHP is set to Fast-CGI and open_basedir contains the following entries:
    My applipaction is running in /var/www/clients/client1/web5/web/my_application/

    So, how can I configure ISPConfig to let PHP read/write to the filesystem? Is it possible (or wise) do disable open_basedir or safe_mode? Or is this not the problem?

    Thanks in advance!
  2. falko

    falko Super Moderator ISPConfig Developer

    Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir?

    If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that you enabled the suexec checkbox in the site settings, without suexec you cant write to the file system of the site.
  4. Quasdunk

    Quasdunk New Member

    > Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir?
    - No, it just writes to .../my_application.

    > If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok?
    - I think so, they are set to drwx--x--- - which seems quite normal to me, I guess.

    > Ensure that you enabled the suexec checkbox in the site settings...
    - Yep, it is checked.

    What might me interesting though:
    From an ISPConfig-perspective, I have several sites (web3, web4, web5) of one client (client1). All the sites share one web-directory with the my_application/-folder in it (web1).

    So my actual filestructure is:
    But since both web1 and web5 belong to the same group (client1), there should be no problem, right?
    I have also tried adding /var/www/clients/client1/web1/web: to the open_basedirs, but that did not help either.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This explains the problem, each site runs under its own user, so you can not share a directory if a script shall be able to write to the filesystem. The files and folders have to be owned by the user of the website that runs the script, not the group. The group exists only for the apache server to get read access to server images and plain html files without scripts.
  6. Quasdunk

    Quasdunk New Member

    Thanks for the clarification.

    But is there no way to make this setup run anyway?
    I want all my sites to use this one application and I want it to be in one common directory, so I don't have to deploy changes to the web-directory of each site.
    Can't I just turn off the open_basedir restrictions somehow? Or would that tear a big security hole in my server?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is not the open_basedir restriction, the problem are the file permissions which do not allow the scripts to write to the filesystem.

    What you can try is this, it is not secure and I wont use it on my servers:

    1) Change php mode to mod_php
    2) Change the "web" directory and subdirectorys were all files of this site are stored to the user and group of the apache server, e.g. www-data on a debian or ubuntu system.
    3) Add the directory were the files are stored to the open_basedir setting of all sites.
    4) Disable the option that permissions of sites get set on update under System > server config > web

    I wont disable it on a server that is connected to the internet.
  8. Quasdunk

    Quasdunk New Member

    Thank you very much for your elaboration!

    I guess I understand your approach to make it work and why this would be a security risk. Since my server sure is connected to the internet and - even worse - dealing with sensistive customer data, this probably would not be an appropriate solution in my case.

    So, basically, there is no way of dealing with different top-level-domains and an application outside of their own web-folder in ISPConfig (except at the expense of security), right?
    That's way too bad... And it's really hard to believe that I'm the only/first one who bumped into this problem :(

    Thank you very much for your effort!
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats right, but not limited to ispconfig. Every server controlpanel that would allow you the configuration that you wanted to do has the same security risks then the setup that I described above, so this is not ispconfig specific. The only difference to other panels is is that ispconfig tries to enforce a secure setup out of the box while other panels might allow you the above configuration without informing you about the risks.

    If you want to use several domains on the same cms system, you would use a aliasdomain in ispconfig and dont create a new website.
  10. Quasdunk

    Quasdunk New Member

    Thanks, that actually makes sense :)

    To be honest, I wasn't quite aware of your suggested option of creating aliases for a website. But after a closer look at it, this looks like a step in the right direction!

    • I have an SSL-certificate for each domain. Will it be possible (or necessary after all) to install SSL-certificates for the aliasdomains of my main website/domain?
    • Will it have any effect on sending/receiving emails to/from those separate domains?
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    If you use aliasdomains, the ssl certificate has to be a multidomain ssl cert as avhost in apache can only have one ssl cert.

  12. Quasdunk

    Quasdunk New Member

    Thank you so much, you definitely saved my day! :)
    This was bothering me way too long, so thanks again for putting the finger on the actual problem!

Share This Page