htaccess to affect "owner"

[ChilliBoy]

High I was wondering if I could also use a htaccess file to affect the "owner" of files written by a php search script on my site.

Currently I have a search engine script set in the root folder. When a search is conducted it automatically writes folders and files relating to the variables entered for the search.

Then if exactly the same search is entered again at a subsequent time, the script automatically fpassthru()the relevant file.

The problem I have is that when the script writes the folders and files, the owner is always "www", which leaves me without the usual access for deleting, changing perms etc etc.

Is there something I can put in a htaccess file so that any script on my site that writes folder and files, always makes the owner "myself" rather than "www".

[qslack]

You can't do it with .htaccess files as far as I know, but you can do this:
telnet/ssh in to your server
chown yourusername scriptname
chmod +s scriptname

Now, the script will always run as "ChiliBoy" or whatever you put in for 'yourusername.'

[ChilliBoy]

Cheers for the info.

I've never used telnet (always used ftp), and am a little unsure exactly what it is and how to use it.

However, I believe I should be able to most of what you advise from the server control panel.


You advise:
"chown yourusername scriptname" - well the owner shown next to the script is already my username so I guess that has already been acomplished.

Your advise "chmod +s scriptname" - is obviously to affect the permissions, but I'm unsure exactly what the above would set them to (I can do this through the CP).

They are set to rwx r-x r-x , what should they be set to so that when ever the script runs the files and directories it creates have me as the owner.

I would be grateful if you could explain the later as to why it works, as I don't know what the "S" for Owner and Group and the "T" for others are for.

Thanks for the help.

From what you say

rwx r-x r-x

[qslack]

If you only have FTP access, but you can run perl scripts (via CGI or mod_perl), make a script with this in it:

Code:

#!/usr/bin/perl
print "Content-type: text/html\n\n"
if( (system("chown yourusername file")) && (system("chmod +s file")) ) {print "Done"}
else {print "Error"}

Run it from your browser and see what it prints out (should be "Done").

Yeah, chown changes the owner. Chmod changes the permissions on a file, and +s means setuid. When the script is run, regardless of who runs it, it always switches to the owner. You probably won't be able to do this in your control panel.

The permissions for this script can be 'rwx r-x r-x' or just about anything as long as the first one is rwx. When Apache asks for the output of the script, it doesn't even know that the userid was switched!

Hope that works...any more questions?

[ChilliBoy]

The script is actually a PHP script.

RE: Permissions via CP - the control panel give me the following options per file:

Owner: SRWX, Group SRWX, Others TRWX

Would changing any of these be equivelant to your not chmod +s ???

If not I suppose you could use the chmod (); function on the file?

If this is the case how would I write the function? - As I understand it, it usually incorportes a 3 figure integer - so what would the +s be equivelant to?

Thanks for all this help!

[freddydoesphp]

The reason this happens is the web server is running as user www, and when create dirs and the like they are created using the www user so in your script since it gets run as www whcih is the owner of the dirs, you should be able to do chown("dirname", "yourusername"); But you would need to do it with a script since when you are looged in with ftp or ssh/telnet you are no longer the onwer of the dirs or files, but if you use the script(www user) to change owners than you should be able to delete the dirs through ftp afterwards, does that make sense?'


The numerical equivalent to qslacks idea is 755 by the way

[ChilliBoy]

Cheers Freddie I kind of get your idea.

The script is currently set to rwx r-x r-x (755?), so I guess qslacks idea will not work?

Would you agree that the best way to get the folders & files created set as owner "myself" would be to chown(); them to my password within the script itself?

The writing part of the script:

if(!file_exists($cachedirectory)) // check to see if the directory already exists
{
$directorypieces = explode("/", $cachedirectory); //break the directory path into pieces
foreach($directorypieces As $folder) //run through the pieces
{
$folder1 = "/" . $folder; //add each folder in order of appearance
$folder2 = $folder2 . $folder1;
$folder3 = "/home/chilli/chillisauce-www" . $folder2;
if(!file_exists($folder3)) //check to see if folder exists
{
mkdir($folder3, 0777); //create a folder if it doesn't
}

}
}

$fp = fopen($cachefilepath, "w"); //create and open the file
fwrite($fp, $Output); //Write output to the file and close
fclose($fp);


Could I add - chown(file or folder, password);
after the mkdir and the fwrite functions?

Another problem I can forsee it that if a file exists it is opened and fpassthru();

If the script is running as www - should my earlier line be able to open these files now that the owner would be myself not http://www.

The lines are as follows:

if (file_exists($cachefilepath))
{
$fp = fopen($cachefilepath, "r");
fpassthru($fp);
}

It would obviously be a hell of a lot easier if I could always get the script to run as myself rather than www, but it appear from what you say that this is not possible.

cheers for the help.

[freddydoesphp]

The only issue I see you having is that you want to be able to delete folders and files through ftp that user www has created in your scripts. I would suggest leaving them owned as www until you are ready to delete them, in fact after thinking about it for awhile, it would probably be best to just create a script to delete them so it gets run as http://www. I mam not sure where you got the password part for chown, I would neve have my unix password visible in my scripts, that is a huge security liability. When I make a script where files and images get uploaded through a form, I normally write a backend that deletes the files and dirs thruogh a web interface instead of ftp'ing in and deleting them, that way all files that created by www will get deleted by www as well, does that make sense?

[Vinay]

I think this whole discussion is missing a little bit of linux knowledge

The linux operating system WILL NOT run a script under a specific user if it has the +s tag on it.. that is ONLY for binaries, C / C++ programs, etc... the ONLY way to have a CGI / perl / PHP , etc, script to run under a specific user, the webhost must support the feature.. for example, we support it via suexec .. others may support it via cgi-wrap, etc...

[freddydoesphp]

Vinay, Have you ever had the problem of a system that allows users to upload images for some reason and stores them in a folder lets say /uploadedimages the folder is set to 777 so it is writable by the web server or even better the folder gets created on the fly, and the web server sets it to 777, so now if you were log in via ssh and you were not rrot, you navigate to your folders and there is the folder owned by the user the web server runs a, now you cannot rm files or rm dir because you do not own it. I think this is the problem Chilliboy is having, do you know a workaround?

[Vinay]

Hiya Freddy,

Well, see, again, it is a feature the webhost must support, as I previously stated. There is not a "work around" to the situation if it has already happened. You would have to contact the host to delete the files, etc, as they are now owned by the web user . .. OR use a script which runs as the web user to delete files ...

Talking about suexec again, the way I set it up is that if you use .php , it runs as the webserver (faster), however you can use .pgi files , which are PHP files which run under suexec, on YOUR userid .... under suexec, you cannot have any directory or file being 777, max permission you can give is 755 .. MAINTAINING security of being able to know that the anybody on your server cant modify your files, and also being able to access files via FTP and removing them, etc...

[ChilliBoy]

Hi,

This has all gone a little above my head, but from what you say, it looks like a seperate script to delete the files would be the best workaround.

How easy would it be to create a script to do this?

I'm moving servers next few days (upgrade hostrocket to VDI) so the files created are not a problem, and where created during testing.

However, when I go live they will have to be deleted periodically as they could get huge.

Each different search creates a new folder and file so say
a search for hot butter rolls, would create file and folders:

search/hot/butter/roll/index.htm etc etc


Would it be easy to make a sript that spiders through the folders and deletes all folder and files?

Say for example I just wanted to delete all files and folders form /butter onwards?

[freddydoesphp]

Running as the web server you could do exec("rm -r -f /butter"); But I have no idea what the security ramifications would be on that, and I am sure someone who has more server admin experience than I can shed some light as to whether this is a good idea or not.

[ChilliBoy]

All seems far to complicated, looks like Ill have to cross the "delete bridge" when I come to it.

Just for a matter of interest, I use Foundation clipper (CGI script for webfetching) and it does a similar thing - fetches info from Moreover etc and stores a copy in another folder in the CGI-BIN which is sent if a similar request is made (indexed by date stamp).

I don't know how this works but all the files it creates are under my ownership so I can delete when I want.

[Vinay]

PHP i know for a fact, has unlink() to delete files, i'm assuming other languages have the same.. that will only delete files which were made under the web user as it will take upon the web users permissions when executing