#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    351
    Rep Power
    0

    [Apache 2.4.6, CentOS7, PHP 5.5] Permission Issues with PHP Sessions


    I'm getting this error:
    Code:
    session_start(): open(/home/mrbob/.php/session/sess_pnsjt731tk76chl2edeuo0heapfvbs3j, O_RDWR) failed: Permission denied (13)
    I edited /etc/httpd/conf/httpd.conf to use a different user:group (mrbob:webdev) than the default (also /etc/httpd/conf.d/php.conf to change where sessions are saved, which is why PHP is trying to save them in the place noted above), as I want someone to be able to log in to SSH and lock them out of everything except for their home directory. I also changed the document roots and CGI things to be in that user's home path. I can't figure out why PHP doesn't have permission to write to the path..

    I had the same problem before I tried changing where PHP should save sessions, as mrbob doesn't have read/write access to tmp.

    I tried running this code to check the current user for PHP and the owner of the PHP Process:

    PHP Code:
    <?php
    echo 'Current user: ' get_current_user() . '<br>' .
         
    'process user: ' posix_getpwuid(posix_geteuid())['name'];
    The result is 'mrbob', that is what I want and is the same for both results. The group should be 'webdev' but I'm not sure how to test that. I also made sure the directory /home/mrbob/.php is owned by mrbob:webdev and all children, too.. Well, specifically, I ran this command:
    Code:
    [root@**** mrbob]# chown -R mrbob:webdev .php
    [root@**** mrbob]# chmod -R 777 .php
    And for some reason it's still not working.. I'll decrease permissions inch-by-inch once I get something to work.
    Anyone know what I'm missing?
    Last edited by s-p-n; July 7th, 2016 at 05:10 AM.
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    351
    Rep Power
    0
    Fixed the issue.

    I changed the PHP session and sdl cache dirs back to the defaults in /etc/httpd/conf.d/php.conf
    Code:
        php_value session.save_handler "files"
        php_value session.save_path    "/var/lib/php/session"
        php_value soap.wsdl_cache_dir  "/var/lib/php/wsdlcache"
    I then changed the group of those files to webdev. Everything works as expected now.
  4. #3
  5. No Profile Picture
    Super Moderator
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jun 2009
    Location
    Hartford, WI
    Posts
    1,569
    Rep Power
    131
    Thank you very much for posting your fix, but please don't close/lock the topic. Future visitors may still have comments to set in.
    He who knows not that he knows not is a fool, ignore him. He who knows that he knows not is ignorant, teach him. He who knows not that he knows is asleep, awaken him. He who knows that he knows is a leader, follow him.
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    351
    Rep Power
    0
    K, I reopened the thread, thanks.

    I had other problems with file permissions, too (regarding file operations such as move_uploaded_file, fopen and mkdir under PHP). I noticed I had to set selinux' httpd_unified setting to on.
    Code:
    setsebool -P httpd_unified On
    Note that doing the above may be a security risk if you run more than one instance of Apache on the same system. Since I'm only allowing one user on my system to use apache, I don't think I need to be concerned with that issue. (Please verify this and correct me if I'm wrong, I really don't know much about Apache).

    httpd_enable_cgi must also be set to On, but already was. The selinux settings for apache are beyond my scope of knowledge, so please reply if I made a bad decision here or with a better way to accomplish what I want to do. I am still unable to move the PHP session.save_path, but I can live with that.

    Here's a list of what I have enabled in selinux settings for httpd:
    Code:
    [root@*******]# getsebool -a | grep httpd | grep " on"
    httpd_builtin_scripting --> on
    httpd_enable_cgi --> on
    httpd_graceful_shutdown --> on
    httpd_unified --> on
    The only one I enabled by hand was httpd_unified.
    Last edited by s-p-n; July 7th, 2016 at 09:11 PM.

IMN logo majestic logo threadwatch logo seochat tools logo