5

Context: I am making an in-browser control panel that gives me one button access to a library of scripts (.sh and .php) that I've written to process various kinds of data for a project. It's a "one stop shop" for managing data for this project.

I've made good progress. I have apache, PHP and MySQL running, and I have my front end up at http://localhost. Good so far!

Now the problem I'm having: I have an index.php which works fine, except the default apache user (which on my machine is called "_www") seemingly doesn't have permissions to run some of my scripts.

So when I do:

<?php
    echo `ls`;
    echo `whoami`;
    echo `/Path/To/Custom/Script.sh`;
?>

I get the output of ls and whoami, but I get nothing back from the custom script. If I run the custom script as me (in an interactive shell), of course it works.

Finally, my question: What's the right way to configure this. Have the webserver run as me? Or change permissions so that _www can run my custom scripts?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Cameron Brown
  • 153

2 Answers2

3

The first-best thing would be to put the script in a standard location (such as /usr/local/bin) where the web server would have sufficient permissions to execute it.

If that's not an option, you can change the group of the script using chgrp groupname path, then make it executable for the group by chmod g+x path. If the _www user isn't already in that group, add it to the group by usermod -aG groupname _www.

Shawn J. Goff
  • 46,081
3

To answer your question, it's better to give the _www group permission to execute your scripts.

Use an ACL to extend the permissions on your *.sh scripts to allow a user in the _www group execute privilege: 

cd /Path/To/Custom
setfacl -m g:_www:rx *.sh

Also check each directory component of /Path/To/Custom & verify that apache has permission to access (i.e. 'see') the scripts in /Path/To/Custom: 

ls -ld /Path
ls -ld /Path/To
ls -ld /Path/To/Custom

Each directory component above should grant apache a minimum of execute permission apart from the final component (Custom) where apache needs both execute & read permission. e.g. if all the directory components above have other permissions of r-x then apache has all the access rights it needs to find your scripts in the Custom directory.

frielp
  • 480