问题
Using Lightsail NGINX instance and got a one line in a PHP file that won't do what I need
$s = 'Hello world';
$myfile = file_put_contents('log.txt', $s.PHP_EOL , FILE_APPEND | LOCK_EX);
I want it to create the log.txt file if it's not there. If it is there, I want it to append. It does not do either.
If I create the file, it doesn't work. Only if I chmod the file to 777 via SSH will it work.
However a future piece of work would be to make the file so for reasons beyond the security of 777, this manual approach won't be feasible.
I understand this is down to security settings but really unsure on what to do to make this as secure as I can whilst still giving the PHP access to create/append to a text file
It appears I have a user called www-data. I have tried:
sudo chown -R www-data:www-data html
sudo chmod -R g+s html
Still can't create the file.
If I put error reporting on I get:
file_put_contents(log.txt): failed to open stream: Permission denied
Thanks
回答1:
I'm really wondering how people advise on doing chmod
or chown
while completely lacking details of OP's server setup.
Based on everything mentioned so far, I can assume that the OP has things running this way:
- NGINX running as
www-data
. - PHP-FPM running as different username (thus the permission issue). Let's say the PHP-FPM pool's username is
foo
.
Let's outline the best practices for this kind of setup. Following that, you'll be good with no permissions issues, in no time.
Who must own the files
Usually (multi-site server or not), you want one specific user who owns the site files. That user should never be www-data
. It must be a separate user that you have created for this purpose: foo
.
As a rule, that same user foo
will be the one who is set to run PHP-FPM pool with.
So set the correct ownership to the foo
user:
chown -R foo:foo /path/to/your/site/html
Since PHP-FPM scripts run as foo
, now that the directory and all the files inside it are owned by that very same foo
, the PHP-FPM can do its stuff there without any problem. In that way, you will absolutely never have even the possibility that PHP cannot create / access stuff.
Grant access to web server
Remember, there are two users involved in the setup: one is web server's (www-data
) and one is PHP-FPM's (foo
).
Now that the files are properly owned by foo
, we need to grant the rights to read them to www-data
. Why only read? Because NGINX has nothing to do with writing to the filesystem in this setup. It only needs to read files and traverse directories.
How this granting is usually accomplished is by making web server's user to be a member of the site user's group. This is a bit hard to comprehend at first, but I'll be further verbose about it:
Let's say there is a site file data.txt
, that is now owned by foo:foo
- the ownership in Linux is double-fold: file is owned by foo
user and foo
group.
Right now the foo
group has only one member: foo
user.
What we need to do is to add another member to the foo
group: the www-data
user.
Thus:
usermod -a -G foo www-data
After this, the foo
group has these members: foo
user, www-data
user.
And now we can continue onto permissions :)
What permissions should be
Now that we're done with ownership, the remaining important bit is to adjust permissions for all files and directories in this way:
- directories should allow for traversing (
+x
) for group - files should allow being read (
+r
) for group
These permissions are required for www-data
to be able to read every website file and directory.
Most likely, you don't need to explicitly set those, because umask
setting (I will not touch upon this topic here), will be already such that all files already have these permissions.
But if you need to fix your stuff, you can do:
chmod -R g+rX /path/to/your/site/html
The uppercase X
ensures that +x
is set for directories only.
Going secure
After setting up the right file and group ownership for this kind of setup, you can go further secure and set more restrictive chmod
.
For example, Magento secure chmod follows that setup's conventions so you can be fine with chmod
permissions of 0400
for PHP files and 0640
for media files :)
The last chmod
bit should always be 0 unless you're dealing with a truly odd use case.
回答2:
I think, that better way to achieve your goal, is chown command. This changes ownership of file.
Try run
chown username yourfile
You can also use this for folder
chown -R username yourfolder
In your case, you probably need change ownership of file log.txt
回答3:
Try changing ownership to nginx user.
chown nginx: log.txt
来源:https://stackoverflow.com/questions/55668386/cant-create-text-file-or-append-to-it-in-nginx-without-chmod-777