How to configure PHP CLI on linux ubuntu to run as www-data?

I have a symfony2 application on my ubuntu. Symfony has a plenty of useful console commands (like php app/console cache:clear or php app/console assets:install web).

The problem is If I run them as root user the newly generated files will have root:root user/group, and if I acces my website I get errors (becouse apache cannot read/modify these files -> they should have www-data:www-data).

Running chown www-data:www-data solves the problem, but running it every time I clear my cache is not a solution.

How can I configure PHP CLI to always run as www-data user/group?

or

How can I run a command as a diffrent user (being root, run it as www-data)?


Solution 1:

Run a command as another user once:

sudo -u www-data php script.php

This should work if you have sudo installed and are root (or another user that is allowed to do that; see the sudo group, man sudoers and visudo).

For reusability, add an alias. Place this in your .bashrc, .profile or similar (and reload the shell to make it effective):

alias phpwww='sudo -u www-data php'

You can then type phpwww script.php and it will actually execute sudo -u www-data php script.php for you.


For other, more complex and error-prone ways, read on.

As for always running php as www-data, there are several possiblities. You could create a simple wrapper shellscript. If /usr/bin/php is only a soft-link to /usr/bin/php5 or similar, that makes it simpler. Just replace the soft-link (NOT the file php5) with a script like this:

#!/bin/sh

sudo -u www-data php5 $*

return $?

That's not tested though. Also be aware that this will ALWAYS try to run php5 as user www-data, even if the user may not be root and may not have permission to do so. And it may also not be what you really want. Some installed services may run into problems when trying to execute php.

A (possibly better) solution to only apply that to root may be to leave the soft-link /usr/bin/php alone and place the script in /root/bin instead. Then add that folder to PATH via .bashrc, .profile or similar. If you have /etc/skel/.profile, that may point out how that is done:

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

Once this is in your .bashrc, .profile or similar, every new shell you open will allow you to directly execute any executables (+x) in $HOME/bin (/root/bin for root).

Hint: You may want to name the wrapper script something like phpwww so you explicitly specify php script.php or phpwww script.php to decide if you want regular or sudo'ed php.

Solution 2:

Answered by mwargh on ##linux (IRC Freenode.net)


To run a commands as a diffrent user -> switch to that user useing:

su www-data

I'd still be interested (if its possible) in configuring PHP so that running:

root@mycomp php (php script creating a file)

as root user

will result in creating a file with www-data:www-data user/group

(this way i would not have to switch from root to www-data to run my commands)

Solution 3:

I would try making /usr/bin/php owned by www-data and set the suid permission, which forces the command to be executed by the file owner. You'd do this with:

chmod u+s /usr/bin/php

of you like the octal notation:

chmod 4755 /usr/bin/php

Though I must say it should make one uneasy whenever you are making www-data the owner of anything, as the point of the www-data account is to own as little as possible.