Custom CMS and permissions work-around

cnperry

Working with permissions seems to be a love-hate relationship...

Here's the problem: Files need to be copied from the QA site to the Production site several times per week, and the job got stuck to me, the new guy. I was given permission to write a script that will copy selected files over to production (after proper authentication, of course).
Now, the production site files are all chmod'd 644, which means PHP doesn't have permissions to overwrite existing files with the new versions (if the file is new to production it's owned by apache). Manually chmod-ing the production files to 777 works for copying, but they have to be changed back to their original permissions manually (and the owner remains the account user), so what's the point?

Is there any kind of work-around that will just let my script run as it should, but still keep the files from being owned by apache (as would happen if I deleted everything and allowed the script to copy everything over fresh)?

Thanks, I owe you one!
Cameron Perry

Oh yeah - this job is for a non-profit, so it's all volunteer.

sfullman

if you make the file deletable, the folder containing it must still be writable.

Only root can do certain items like change a user etc.., and php is running as either apache or nobody.

One thing you might consider searching on is to run php as a command line file. Create a file that will accept the switch for the file name(s), and also have a switch for a password. Then make the file executable only, and call this file (from a normal .php page) with the password and file name(s). The file doesnt' have to be readable to work, so the matching password need not be stored in visible format.

Since the file belongs to root, it will have root permissions, and can do what you're asking -- kind of like sending in your older brother, but in this case a limited older brother for a specific task.

BTW I've never done this but I know it works, I will need to implement this on my server myself at one time.

Sam

cnperry

Thanks, but no luck.

The scripts (both php and even shell scripts) are run as apache, so any file copied over become apache's property. If I run the script from a terminal window, the files are "my" property. If I run the script from the web, it's apache's.

So I probably have a few options:
1) Finish the script but forget trying to manually edit/delete/move production files
2) delete "my" files and allow PHP to replace them; if anything needs to be edited or copied-over by an admin, run another PHP script that can delete and/or temporarily change permissions of selected files
3) Keep doing this the ol' fashioned way - by hand - and forget PHP (but what's the fun of that?).

Any other suggestions are appreciated. Is there anything we could ask the host admin to do for us (it's a small company that's pretty friendly towards us).

Thanks!
Cameron

sfullman

have always thought (and still do) that if a file is executable and belongs to root, it has roots permission. from that directory, you'd need to call it this way

./chmod_php -o oldfile -n newfile -p password

where chmod_php is a shell script.

One of these days I'm going to test it and see, but that's truly powerful if it works.

Sam

cnperry

Sam,

I tried making the shell script owned by root and ran it from both my terminal and also from a web page on my own test server, as you described I should.

No luck. Permission denied. It seems that sripts will be run as whatever user runs the script, now whoever owns it. My other problem is that I don't have sudo-er privs on the server (shared with several other domains).

I also couldn't get sudo to recognize the password (sudo -s, I think). Do you know how that works? My idea was to run sudo -u (username) -s (password) and see if that would work.

Thanks,
Cameron