I am using Linux 12.04,apache and php is installed on it.I want to access a text file in /root/ folder.I am really confused with the permissions.The php script i m using
我正在使用Linux 12.04,apache和php安装在它上面。我想访问/ root / folder中的文本文件。我真的与权限混淆。我使用的PHP脚本
<?php
$file = fopen("/root/cr.txt", "r") or exit("Unable to open file!");
//Output a line of the file until the end is reached
while(!feof($file))
{
echo fgets($file). "<br>";
}
fclose($file);
?>
This script is able to access the file /var/www folder but not able to access /root/ip.txt file. Please help and explain step to step possible.
此脚本能够访问文件/ var / www文件夹,但无法访问/root/ip.txt文件。请帮助并解释步骤可能。
2 个解决方案
#1
1
I will forget about the security implications of doing this and will go down to business:
我将忘记这样做的安全隐患,并将继续开展业务:
If you have done ls -l /var/www and ls -l /root you would have noticed that both has different permissions:
如果你已经完成了ls -l / var / www和ls -l / root,你会注意到它们都有不同的权限:
$ ls -l /root/cr.txt total 2 -rw-r----- 1 root root 0 Jul 9 01:28 cr.txt $ ls -l /var/www total 2 -rw-r--r-- 1 www-data www-data 0 Jul 9 01:28 somefile
$ ls -l /root/cr.txt total 2 -rw-r ----- 1 root root 0 Jul 9 01:28 cr.txt $ ls -l / var / www total 2 -rw-r - r - 1 www-data www-data 0 Jul 9 01:28 somefile
The /root is only readable for root, while /var/www is readable by www-data user. Now, if you check apache process you will notice that it's running using the www-data user.
/ root仅对root可读,而/ var / www可由www-data用户读取。现在,如果你检查apache进程,你会发现它正在使用www-data用户运行。
$ ps aux | grep apache www-data 5133 0.0 0.2 6512 1208 ? R+ 10:04 0:00 apache
$ ps aux | grep apache www-data 5133 0.0 0.2 6512 1208? R + 10:04 0:00阿帕奇
Now, you are trying to make apache running with the www-data user read the file. You can take three courses of action:
现在,您正在尝试使用www-data用户运行apache读取该文件。您可以采取三种行动方式:
1.Move the file to /var/www and change it's permissions so www-data users can read it.
1.将文件移动到/ var / www并更改其权限,以便www-data用户可以读取它。
mv /root/cr.txt /var/www/
chown www-data:www-data /var/www/cr.txt
2.This is the preferable method.
这是更好的方法。
Create a symlink to the file in the /var/www directory:
ln /root/cr.txt /var/www/
3.This won't ensure that your file is being read, in some cases.
3.在某些情况下,这不会确保您的文件正在被读取。
This is dangerous and should not be done! Add the www-data user to the root group, or change the file ownership so it could be read by www-data users:
这很危险,不应该这样做!将www-data用户添加到根组,或更改文件所有权,以便www-data用户可以读取:
chown :www-data /root/cr.txt
## Or
sudo adduser www-data root
This shouldn't be done if you don't understand the risks!
如果您不了解风险,就不应该这样做!
#2
0
First, it is generally a bad idea to give apache access to root. If you insist ...
首先,给apache访问root通常是一个坏主意。如果你坚持 ...
Install ACL (Access Control List) Installing ACL
安装ACL(访问控制列表)安装ACL
Then, assuming your apache server runs with 'apache2' for it's user and group, give the apache2 user and group access to directories/files:
然后,假设您的apache服务器为其用户和组运行'apache2',请为apache2用户和组访问目录/文件:
setfacl -m "group:apache2:r-x" /root/whatever.file
setfacl -m "user:apache2:r-x" /root/whatever.file
# *** only need the next two lines if you plan on writing new files in the specified directory. It sets the default file permissions that will be used when the new file is created.
setfacl -d -m "group:apache2:r-x" /root
setfacl -d -m "user:apache2:r-x" /root
Change the r-x permissions to whatever you need
将r-x权限更改为您需要的任何权限
Edit - potential solution without ACL
编辑 - 没有ACL的潜在解决方案
The following is untested and may require tweaking but should get you going in the right direction. USE AT YOUR OWN RISK!
以下是未经测试的,可能需要调整,但应该让你朝着正确的方向前进。使用风险自负!
Create a new group. The name can be anything but for this example I will call it 'wwwadmins' using groupadd
创建一个新组。这个名字可以是任何东西,但是对于这个例子,我将使用groupadd将其命名为“wwwadmins”
groupadd wwwadmins
Add the root and apache2 users to this new group using usermod
使用usermod将root和apache2用户添加到此新组
usermod -a -G wwwadmins root
usermod -a -G wwwadmins apache2
Change the group owner on the file to the new group using chown
使用chown将文件上的组所有者更改为新组
chown :wwwadmins /root/whatever.file
#1
1
I will forget about the security implications of doing this and will go down to business:
我将忘记这样做的安全隐患,并将继续开展业务:
If you have done ls -l /var/www and ls -l /root you would have noticed that both has different permissions:
如果你已经完成了ls -l / var / www和ls -l / root,你会注意到它们都有不同的权限:
$ ls -l /root/cr.txt total 2 -rw-r----- 1 root root 0 Jul 9 01:28 cr.txt $ ls -l /var/www total 2 -rw-r--r-- 1 www-data www-data 0 Jul 9 01:28 somefile
$ ls -l /root/cr.txt total 2 -rw-r ----- 1 root root 0 Jul 9 01:28 cr.txt $ ls -l / var / www total 2 -rw-r - r - 1 www-data www-data 0 Jul 9 01:28 somefile
The /root is only readable for root, while /var/www is readable by www-data user. Now, if you check apache process you will notice that it's running using the www-data user.
/ root仅对root可读,而/ var / www可由www-data用户读取。现在,如果你检查apache进程,你会发现它正在使用www-data用户运行。
$ ps aux | grep apache www-data 5133 0.0 0.2 6512 1208 ? R+ 10:04 0:00 apache
$ ps aux | grep apache www-data 5133 0.0 0.2 6512 1208? R + 10:04 0:00阿帕奇
Now, you are trying to make apache running with the www-data user read the file. You can take three courses of action:
现在,您正在尝试使用www-data用户运行apache读取该文件。您可以采取三种行动方式:
1.Move the file to /var/www and change it's permissions so www-data users can read it.
1.将文件移动到/ var / www并更改其权限,以便www-data用户可以读取它。
mv /root/cr.txt /var/www/
chown www-data:www-data /var/www/cr.txt
2.This is the preferable method.
这是更好的方法。
Create a symlink to the file in the /var/www directory:
ln /root/cr.txt /var/www/
3.This won't ensure that your file is being read, in some cases.
3.在某些情况下,这不会确保您的文件正在被读取。
This is dangerous and should not be done! Add the www-data user to the root group, or change the file ownership so it could be read by www-data users:
这很危险,不应该这样做!将www-data用户添加到根组,或更改文件所有权,以便www-data用户可以读取:
chown :www-data /root/cr.txt
## Or
sudo adduser www-data root
This shouldn't be done if you don't understand the risks!
如果您不了解风险,就不应该这样做!
#2
0
First, it is generally a bad idea to give apache access to root. If you insist ...
首先,给apache访问root通常是一个坏主意。如果你坚持 ...
Install ACL (Access Control List) Installing ACL
安装ACL(访问控制列表)安装ACL
Then, assuming your apache server runs with 'apache2' for it's user and group, give the apache2 user and group access to directories/files:
然后,假设您的apache服务器为其用户和组运行'apache2',请为apache2用户和组访问目录/文件:
setfacl -m "group:apache2:r-x" /root/whatever.file
setfacl -m "user:apache2:r-x" /root/whatever.file
# *** only need the next two lines if you plan on writing new files in the specified directory. It sets the default file permissions that will be used when the new file is created.
setfacl -d -m "group:apache2:r-x" /root
setfacl -d -m "user:apache2:r-x" /root
Change the r-x permissions to whatever you need
将r-x权限更改为您需要的任何权限
Edit - potential solution without ACL
编辑 - 没有ACL的潜在解决方案
The following is untested and may require tweaking but should get you going in the right direction. USE AT YOUR OWN RISK!
以下是未经测试的,可能需要调整,但应该让你朝着正确的方向前进。使用风险自负!
Create a new group. The name can be anything but for this example I will call it 'wwwadmins' using groupadd
创建一个新组。这个名字可以是任何东西,但是对于这个例子,我将使用groupadd将其命名为“wwwadmins”
groupadd wwwadmins
Add the root and apache2 users to this new group using usermod
使用usermod将root和apache2用户添加到此新组
usermod -a -G wwwadmins root
usermod -a -G wwwadmins apache2
Change the group owner on the file to the new group using chown
使用chown将文件上的组所有者更改为新组
chown :wwwadmins /root/whatever.file