i'm stuck & need help understanding file create permission for members of group.
in php, i want to fopen / create a file in a folder that is owned by mysql:mysql
(for importing data into mysql)
folder -ld
drwxrwx--- 2 mysql mysql 4096 Dec 14 14:33 /var/lib/mysql-files
php runs as user www-data
i added 'www-data' user into group 'mysql'
sudo usermod -a -G groupName userName
verified
sudo groups www-data
www-data : www-data mysql
it appears my php user account 'www-data' has write permissions to the folder through group membership, but I get an error 13 'permission denied'.
while typing this question, a similar question (https://serverfault.com/a/534000/65092)
had an answer that the parent folders (/var and /var/lib) need to have 'x' permissions for the user or group, I understand that to mean:
php user 'www-data' needs to be able to look inside /var , to read /lib , to read /mysql-files .
/var = drwxr-xr-x 16 root root
/var/lib = drwxr-xr-x 62 root root
and it appears this is already enabled.
any suggestions or comments?
thanks.
Answer
Solution:
I applied Mike's suggested link solution of
sudo chmod g+s /var/li/mysql-files
(which is supposed to set the group id of any new created files equal to the group of it's parent folder), but I was still unable to create a file in that folder using php.
Upon further reading, I learned that permissions are applied after login (duh, of course), but since user www-data did not have a password and cannot login, I needed to reboot the server, to see if the new permissions would take affect.
Next I tested the file creation thru php from a terminal, but it still did not work. I soon realized the cli of php was launched from my user account on the terminal, therefore it was not running as user www-data, therefore permission denied. I launched php from the terminal to run under user www-data by sudo -u www-data php -a
and Viola! the file was created.
checking the file permissions after creation, the owner was www-data, the group was properly set to the group of it's parent folder, however the write permission was not set. Further reading about umask led me to use sudo setfacl -d -m group:mysql:rwx /var/lib/mysql-files
(to setup an access control list to enable write permission for the group for new files created in the folder. it appeared the write permission of the folder was already enabled for groups, so I'm not sure why this extra step was needed.)
A further test from the command line running php as user 'www-data' passed.
A test using the full php script passed.
Thanks!
No comments:
Post a Comment