Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I’ve written to process various kinds of data for a project. It’s a “one stop shop” for managing data for this project.
I’ve made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!
Now the problem I’m having: I have an index.php which works fine, except the default apache user (which on my machine is called “_www”) seemingly doesn’t have permissions to run some of my scripts.
So when I do:
<?php
echo `ls`;
echo `whoami`;
echo `/Path/To/Custom/Script.sh`;
?>
I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.
Finally, my question: What’s the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.
If that’s not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn’t already in that group, add it to the group by usermod -aG groupname _www.
Method 2
To answer your question, it’s better to give the _www group permission to execute your scripts.
Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege:
cd /Path/To/Custom setfacl -m g:_www:rx *.sh
Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. ‘see’) the scripts in /Path/To/Custom:
ls -ld /Path ls -ld /Path/To ls -ld /Path/To/Custom
Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0