Re: 403 not working -- apache 2 / php5 / linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Richard Lynch wrote: 
Jason Morehouse wrote:

Hello.  I'm not sure if this is an apache problem or php... but
wondering if anyone has come across the same problem.

-rw-------    1 root     root	test.html
-rw-------    1 root     root	test.php

Trying to access test.html via a browser servers up the apache 403 error
page.  The test.php however produces:

Warning: Unknown: failed to open stream: Permission denied in Unknown on
line 0 Warning: Unknown: Failed opening '/www/test.php' for inclusion
(include_path='.:/www/php') in Unknown on line 0

Any ideas? 


Apache (and the PHP Module within it) run as a specific user.

That user is not (and SHOULD NOT be) 'root'

You need to figure out what user Apache runs as.

It's set in httpd.conf by the 'User' directive.

Because Apache/PHP does not run as 'root', Apache/PHP do not have
permission to *READ* the file.

If they can't *READ* the file, they can't deliver it to the surfer.

You need to change the permissions on the file to be *READABLE* by the
'User' of Apache/PHP.

Example
chmod 644 test.html
chmod 644 test.php

However, it would probably be even *better* to chown the files to some
less-powerful user than 'root'

chown _SOME_USER_ test.html
chown _SOME_USER_ test.php

You'll *still* need them to be read-able by Apache/PHP -- But in the
unlikely event that somebody Evil manages to gain write-access to the
files, at least they won't be root-owned, which would be even *worse* than
just a normal user's files getting hacked.

You really need to read a tutorial on Unix file permsissions, and you have
*GOT* to stop making HTML and PHP files as 'root' user!

I don't need a lesson in file permissions, thanks. Apache runs as nobody. The problem isn't trying to get apache to display test.php, it's having it display the proper 403 error page, rather than a php error when it doesn't have access to a page.

Each page, test.html and test.php have the same permissions. The html page gives the expected 403 error message when I try and access it (thats what I want). The other, php script doesn't. This is a security concern for me as it reveals paths on my system in the event a page has the wrong permissions. Why does apache not server the 403 on the php page? Maybe this is better off in the apache list.


--
Jason Morehouse
Vendorama - Create your own online store
http://www.vendorama.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux