Making Apache able to write to PHP files with PHP running as DSO?

apache-2.2 chmod php dso

I would only do this on a development server in a secured environment. Many PHP applications will generate the file to the screen so that it can be copied safely to the configuration directory.

The quick (and insecure) way to do this is to execute chmod 777 . from the directory where the file should go. Before doing this run ls -ld . to get the permissions you will be setting them back to. In some cases the required directory will not exist, so you will need to create it first. Immediately after the configuration file has been written, reset the directory to its original permissions. The correct command is likely chmod 755 . or chmod 750 . run from the directory. Verify with the ls command.

Change the permissions on the configuration file so that Apache can no longer write to it (chmod o-w configfile). Applications often come with example configuration files. Placing one of these in the configuration directory and editing may be a better approach. This requires that you learn and understand the configuration options. You may be able to use the online configuration script to assist your edits.


You can write your config files under a temporary directory such as /tmp/config/. Then, you can execute a shell script to copy the config files from /tmp/config/ to the desired location.

To grant the needed permissions, you can add the user nobody to the sudoers file. The entry should look like:

nobody   ALL=NOPASSWD: /path/to/your_script.sh

The shell script (don't forget to add execute permission).

cp -r /tmp/config/* /desired/path/to/config

In PHP, you need a small code snippet like:

<?php
$output = shell_exec('sudo /path/to/your_script.sh');
echo "$output";
?>

In a shared environment everything gets a bit complicated when it comes to security concerns. By changing the file ownership to 'nobody' you give Apache write access to that file but, if the PHP module doesn't have settings to restrict each virtualhost to each its own directory, it would also give others access to it. Check how it's set up in your environment.

Apache usually runs as user 'nobody' and group 'nobody' so you could play with group permissions too. Change the file's group to 'nobody' and set permission to 664.

If you can't change the file's owner or group, FTP usually lets you change the permissions. Assuming that Apache isn't one of the user/group that owns that file, you'd have to set it to 777 which is very insecure but it all depends on the kind of environment you're in. Perhaps you can set it temporarily, install you app and change it back to 644 or 444 (read-only).

Related

How to set systemwide ulimit on ubuntu
How to create a new public AMI for windows with a random password?
How to run PHP files as another user with Apache and FastCGI?
Can the HAL daemon be safely disabled for servers?
What have been the most useful resources for you when learning to make RPM's?
netcat -e: the GAPING_SECURITY_HOLE
running tar completely locks up mysql
Recover a MySQL database with only bin-log file
Best Practices: AWS EC2 Private Keys
How to configure mirror/span port on vSwitch?
Mount to NFS export of autofs mount shows empty contents
Backup ZFS snapshots to tape (both full and diff)