I am attempting to run a laravel app on a local server in https mode in a Fedora 36 OS, but I am given this message
The stream or file "/var/www/compagnon-be/storage/logs/laravel.log"
could not be opened in append mode: Failed to open stream: Permission
denied The exception occurred while attempting to log
It seems to me that my permissions are correct
My DocumentRoot is /var/www/compagnon-be/public
I used these commands from /var/www
sudo chown -R $USER:apache compagnon-be
and
sudo chmod -R 775 compagnon-be
ls -l returns this (muser being my user)
[jaaf#localhost www]$ ls -l
total 12
drwxr-xr-x. 2 root root 4096 17 juin 13:13 cgi-bin
drwxrwxr-x. 14 muser apache 4096 2 déc. 06:32 compagnon-be
drwxr-xr-x. 4 root root 4096 1 déc. 06:52 html
[jaaf#localhost www]$
What is wrong ?
The trouble was coming from selinux.
I tried
sudo restorecon -R -v /var/www/compagnon-be
After that the message changed to
file_put_contents(/var/www/compagnon-be/storage/framework/views/dc2fe5ffc0c4db448244e2a441f79c65b3812ff5.php):
Failed to open stream: Permission denied
Then I decided to install setroubleshoot package in my Fedora distribution and launched sealert
Refreshing the page triggered an alert and sealert gave me the commands to use
It was:
Vous devez modifier l'étiquette sur (You must change label on) « /var/www/compagnon-be/storage/framework/views »
# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/compagnon-be/storage/framework/views'
# restorecon -v '/var/www/compagnon-be/storage/framework/views'
Related
Using:
podman version 4.2.0
AlmaLinux 8.7
I've created an image based on redhat/ubi8 with the following Dockerfile:
FROM docker.io/redhat/ubi8
RUN dnf install -y gcc-c++ cmake python39 openssh git
RUN useradd -ms /bin/bash foobar -g users
USER foobar
WORKDIR /home/foobar/
RUN mkdir -p .ssh
$ docker build -t mount_test_image .
I run the image from a directory that contains a directory ssh, and I want to mount that directory to /home/foobar/.ssh with ownership of foobar.users
$ ls -l
-rw-r--r--. 1 host_user users 269 Dec 7 09:10 Dockerfile
drwxrwxr-x. 2 host_user users 18 Dec 2 10:41 ssh
docker run -it -d --rm --mount type=bind,src=ssh,target=/home/foobar/.ssh --name=mount_test mount_test_image
However when I enter the container via
docker exec -it mount_test '/bin/sh'
The home directory looks like this:
drwx------. 1 foobar users 18 Dec 7 17:10 .
drwxr-xr-x. 1 root root 21 Dec 7 17:10 ..
-rw-r--r--. 1 foobar users 18 Jun 20 11:31 .bash_logout
-rw-r--r--. 1 foobar users 141 Jun 20 11:31 .bash_profile
-rw-r--r--. 1 foobar users 376 Jun 20 11:31 .bashrc
drwxrwxr-x. 2 root root 18 Dec 2 18:41 .ssh
I obviously get a "permission denied" when trying to access that directory.
sh-4.4$ ls /home/foobar/.ssh
ls: cannot open directory '/home/foobar/.ssh': Permission denied
I tried changing the ownership of the directory on the host to match the uid of the container user, but then it just looks like this:
drwxrwxr-x. 2 nobody root 18 Dec 2 18:41 .ssh
My host user uid:gid is 501:100 and the container user is 1000:100. Right now I'm just trying to generate an ssh key to upload to bitbucket, but this seems like a simple feature a container should be have. All the tutorials and examples just stop after the --mount command instruction and say "there ya go!". What good is the mount point if you can't read/write it?
EDIT:
I tried on Archlinux using docker instead of podman and it works like one would expect with both -v and --mount. The owner of the mounted directory in the container matches the uid and gid of the host. Is this then a bug in podman or is it just done differently?
You are using a non-root user (foobar) in a rootless container. You must use --userns=keep-id for the container user to see the mounted volumes.
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#using-volumes
Jenkins installed on Ubuntu 18.04 and running successfully.
As part of our project build process, we need to copy built files to a specific folder under /var/www/html (Apache folder). Our build / Execute shell:
npm install
ng build --prod
cp -R /var/lib/jenkins/workspace/kagi-core/dist/core/* /var/www/html/kagi-core/
But jenkins build fails at the final copy command with the following errors:
23:18:10 + cp -R /var/lib/jenkins/workspace/kagi-core/dist/core/3rdpartylicenses.txt /var/lib/jenkins/workspace/kagi-core/dist/core/assets ...
23:18:10 cp: cannot create regular file '/var/www/html/kagi-core/3rdpartylicenses.txt': Permission denied
...
...
Here's what we did/tried so far:
Added "jenkins" user to root and ubuntu groups.
ubuntu#ip-172-31-15-215:/var/www/html$ groups jenkins
jenkins : jenkins root ubuntu
Changed permissions on /var/www/html/kagi-core folders to "jenkins" user
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 17 21:36 www
..
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 18 21:04 html
..
drwxrwxrwx 4 ubuntu jenkins 4096 Sep 18 21:18 kagi-core
What are we missing? Appreciate any help!
While trying to fix this, found the solution. Adding here for reference:
On observing carefully, the permissions to /var/www folders, they are as
drwxr-xr-x 3 ubuntu jenkins 4096 Sep 17 21:36 www
but instead they should be the other way around (allow "jenkins" user to the default group):
drwxr-xr-x 3 jenkins ubuntu 4096 Sep 17 21:36 www
Also we reset the group to default root
So the command that solved the issue was
cd /var
sudo chown -R jenkins:root www/
After this, jenkins builds were successful (able to copy to the /var/www/html folder).
i'm facing the next error in a centos 7 server
I take a look to similar questions saying that is because SELinux doesn't allow to httpd to write in my /home folder, i've tried changing the owner of the folder without success; try changing the context (chcon) to httpd_sys_rw_content_t of my /home with the same error; try disabling SELinux and the error persists; and in the file httpd.conf change the User and Group from apache to test this didn't work either. My server is:
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708
Codename: Core
and
Linux localhost 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
When I execute move_uploaded_file() from php -a as user test it works normally, i see that the issue is with the user apache
TLDR:
Do not run setenforce 0 command, this will disable SELinux! You should not disable SELinux for security reasons.
The solution:
You should update policy to make SELinux allow read and write on specific directories:
To allow apcahe to read and write.
chcon -R -t httpd_sys_rw_content_t /path/your_writabl_dir
For read only directories:
chcon -R -t httpd_sys_content_t /path/yourdir
For example you can make your public (document root) directory read only and only allow write on directories that you allow you app to write on:
# Make all read only
chcon -R -t httpd_sys_content_t /var/www/myapp
# Only allow write on uploads dir for example
chcon -R -t httpd_sys_rw_content_t /var/www/myapp/public/uploads
I am trying to capture an image through a webcam and display it on a webpage but I am getting "permission denied errors"
I am running apache with the following user/group
/etc/apache2/envvars :
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
In the html code i have the request:
myRequest.open("GET", "/cgi-bin/getImage1.cgi", true);
myRequest.send();
In /usr/lib/cgi-bin I have the file: getImage1.cgi
#!/bin/bash
rm image1.jpg
fswebcam -r 640x400 --no-banner --deinterlace -q -d /dev/video0 --jpeg 95 image1.jpg
The file and directories permissions are:
In /usr/lib drwxrwxrwx 2 root www-data 4096 May 14 19:37 cgi-bin
In /usr/lib/cgi-bin -rwxr-xr-x 1 www-data www-data 115 May 14 18:51 getImage1.cgi
In /dev crw-rw----+ 1 root video 81,0 May 14 18:02 video0
User www-data is a member of the following groups:
$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),44(video)
When i run the web page i get the following error code:
rm: cannot remove 'image1.jpg': No such file or directory
Error opening device: /dev/video0
open: Permission denied
Unable to find a source module that can read /dev/video0.
End of script output before headers: getImage1.cgi,
The error implies that it is executing the script but that the user does not have sufficient permissions to access the /dev/video0.
The apache user should be www-data which is a member of both www-data and video groups, so it should have access to the /usr/lib/cgi-bin directory, getImage1.cgi file, and the /dev/video0 webcam.
If I execute the script from the console it runs fine.
I would appreciate if anyone can offer suggestions.
I've created a container, based off the centos:6.8 image using the following Dockerfile:
FROM centos:6.8
RUN adduser -m test
USER test
The image is then built using docker build:
docker build -t dockerdemo .
Then I start a container with:
docker run -ti dockerdemo bash
When I am inside the container, I appear to be able to write as the "test" user into the root directory of the container:
[test#9af9c4aeb990 /]$ ls -ld /
drwxr-xr-x 29 root root 4096 Oct 25 09:49 /
[test#9af9c4aeb990 /]$ id -a
uid=500(test) gid=500(test) groups=500(test)
[test#9af9c4aeb990 /]$ touch /test-file
[test#9af9c4aeb990 /]$ ls -l /test-file
-rw-rw-r-- 1 test test 0 Oct 25 09:49 /test-file
I am expecting to see Permission denied when I run the touch command.
If I alter the Dockerfile and remove the USER statement, and rebuild, then I can su to the "test" user inside the container and I get the behaviour I would expect:
[root#d16277f693d8 /]# su - test
[test#d16277f693d8 ~]$ id
uid=500(test) gid=500(test) groups=500(test)
[test#d16277f693d8 ~]$ ls -ld /
drwxr-xr-x 29 root root 4096 Oct 25 09:50 /
[test#d16277f693d8 ~]$ touch /test-file
touch: cannot touch `/test-file': Permission denied
Have I misunderstood how user permissions work inside containers?
Is there a way to produce my expected behaviour?
There was a vulnerability announced in 1.12.2 that your scenario matches. Release 1.12.3 just came out yesterday to fix this issue and CVE-2016-8867 was registered on the vulnerability. It's an internal container privilege escalation, so limited impact, but still worth the upgrade.