Can't create text file or append to it in NGINX without CHMOD 777

五迷三道 提交于 2019-12-11 18:32:21

问题


Using Lightsail NGINX instance and got a one line in a PHP file that won't do what I need

$s = 'Hello world';
$myfile = file_put_contents('log.txt', $s.PHP_EOL , FILE_APPEND | LOCK_EX);

I want it to create the log.txt file if it's not there. If it is there, I want it to append. It does not do either.

If I create the file, it doesn't work. Only if I chmod the file to 777 via SSH will it work.

However a future piece of work would be to make the file so for reasons beyond the security of 777, this manual approach won't be feasible.

I understand this is down to security settings but really unsure on what to do to make this as secure as I can whilst still giving the PHP access to create/append to a text file

It appears I have a user called www-data. I have tried:

sudo chown -R www-data:www-data html
sudo chmod -R g+s html

Still can't create the file.

If I put error reporting on I get:

file_put_contents(log.txt): failed to open stream: Permission denied

Thanks


回答1:


I'm really wondering how people advise on doing chmod or chown while completely lacking details of OP's server setup.

Based on everything mentioned so far, I can assume that the OP has things running this way:

  • NGINX running as www-data.
  • PHP-FPM running as different username (thus the permission issue). Let's say the PHP-FPM pool's username is foo.

Let's outline the best practices for this kind of setup. Following that, you'll be good with no permissions issues, in no time.

Who must own the files

Usually (multi-site server or not), you want one specific user who owns the site files. That user should never be www-data. It must be a separate user that you have created for this purpose: foo.

As a rule, that same user foo will be the one who is set to run PHP-FPM pool with.

So set the correct ownership to the foo user:

chown -R foo:foo /path/to/your/site/html

Since PHP-FPM scripts run as foo, now that the directory and all the files inside it are owned by that very same foo, the PHP-FPM can do its stuff there without any problem. In that way, you will absolutely never have even the possibility that PHP cannot create / access stuff.

Grant access to web server

Remember, there are two users involved in the setup: one is web server's (www-data) and one is PHP-FPM's (foo).

Now that the files are properly owned by foo, we need to grant the rights to read them to www-data. Why only read? Because NGINX has nothing to do with writing to the filesystem in this setup. It only needs to read files and traverse directories.

How this granting is usually accomplished is by making web server's user to be a member of the site user's group. This is a bit hard to comprehend at first, but I'll be further verbose about it:

Let's say there is a site file data.txt, that is now owned by foo:foo - the ownership in Linux is double-fold: file is owned by foo user and foo group.

Right now the foo group has only one member: foo user.

What we need to do is to add another member to the foo group: the www-data user.

Thus:

usermod -a -G foo www-data

After this, the foo group has these members: foo user, www-data user.

And now we can continue onto permissions :)

What permissions should be

Now that we're done with ownership, the remaining important bit is to adjust permissions for all files and directories in this way:

  • directories should allow for traversing (+x) for group
  • files should allow being read (+r) for group

These permissions are required for www-data to be able to read every website file and directory.

Most likely, you don't need to explicitly set those, because umask setting (I will not touch upon this topic here), will be already such that all files already have these permissions.

But if you need to fix your stuff, you can do:

chmod -R g+rX /path/to/your/site/html

The uppercase X ensures that +x is set for directories only.

Going secure

After setting up the right file and group ownership for this kind of setup, you can go further secure and set more restrictive chmod.

For example, Magento secure chmod follows that setup's conventions so you can be fine with chmod permissions of 0400 for PHP files and 0640 for media files :)

The last chmod bit should always be 0 unless you're dealing with a truly odd use case.




回答2:


I think, that better way to achieve your goal, is chown command. This changes ownership of file.

Try run

chown username yourfile

You can also use this for folder

chown -R username yourfolder

In your case, you probably need change ownership of file log.txt




回答3:


Try changing ownership to nginx user.

chown nginx: log.txt



来源:https://stackoverflow.com/questions/55668386/cant-create-text-file-or-append-to-it-in-nginx-without-chmod-777

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!