Posted by Jason Morehouse on 10/02/12 11:05

Richard Lynch wrote:
> Jason Morehouse wrote:
>
>>Hello. I'm not sure if this is an apache problem or php... but
>>wondering if anyone has come across the same problem.
>>
>>-rw------- 1 root root test.html
>>-rw------- 1 root root test.php
>>
>>Trying to access test.html via a browser servers up the apache 403 error
>>page. The test.php however produces:
>>
>>Warning: Unknown: failed to open stream: Permission denied in Unknown on
>>line 0 Warning: Unknown: Failed opening '/www/test.php' for inclusion
>>(include_path='.:/www/php') in Unknown on line 0
>>
>>Any ideas?
>
>
> Apache (and the PHP Module within it) run as a specific user.
>
> That user is not (and SHOULD NOT be) 'root'
>
> You need to figure out what user Apache runs as.
>
> It's set in httpd.conf by the 'User' directive.
>
> Because Apache/PHP does not run as 'root', Apache/PHP do not have
> permission to *READ* the file.
>
> If they can't *READ* the file, they can't deliver it to the surfer.
>
> You need to change the permissions on the file to be *READABLE* by the
> 'User' of Apache/PHP.
>
> Example
> chmod 644 test.html
> chmod 644 test.php
>
> However, it would probably be even *better* to chown the files to some
> less-powerful user than 'root'
>
> chown _SOME_USER_ test.html
> chown _SOME_USER_ test.php
>
> You'll *still* need them to be read-able by Apache/PHP -- But in the
> unlikely event that somebody Evil manages to gain write-access to the
> files, at least they won't be root-owned, which would be even *worse* than
> just a normal user's files getting hacked.
>
> You really need to read a tutorial on Unix file permsissions, and you have
> *GOT* to stop making HTML and PHP files as 'root' user!

I don't need a lesson in file permissions, thanks. Apache runs as
nobody. The problem isn't trying to get apache to display test.php,
it's having it display the proper 403 error page, rather than a php
error when it doesn't have access to a page.

Each page, test.html and test.php have the same permissions. The html
page gives the expected 403 error message when I try and access it
(thats what I want). The other, php script doesn't. This is a security
concern for me as it reveals paths on my system in the event a page has
the wrong permissions. Why does apache not server the 403 on the php
page? Maybe this is better off in the apache list.


--
Jason Morehouse
Vendorama - Create your own online store
http://www.vendorama.com

• Next in thread: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Prev in thread: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Next in forum: Re: [PHP] Error in foreach?
• Prev in forum: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Thread view: 403 not working -- apache 2 / php5 / linux

[Reply to this message]