I have a php file within /var/www/html
that is called from the client side, and within this php file I require a file from a directory I created and called /app/lib/
where all of my custom libraries and classes reside.
However, every time the endpoint is hit, I get the following PHP warning & error:
PHP Warning: require(/app/lib/User/User.php): Failed to open stream: Permission denied
PHP Fatal error: Uncaught Error: Failed opening required ‘/app/lib/User/User.php’ (include_path=’.:/usr/share/pear:/usr/share/php’)
My server OS is centOS
Currently, the permissions on the /app/lib
directory are apache:apache, with permissions on all directories set to 755, and the php files being set to 644.
I am not sure what else I am missing, so if anyone has any insight, I would greatly appreciate the help
2
Answers
This is for anyone dealing with the same issue.
ÁlvaroGonzález's comment helped me figure this out, but the root of the issue was SELinux which runs on centOS by default.
In order to fix my issue I disabled SELinux, which I do not recommend, you should research SELinux before you decide to disable it, but I feel comfortable doing so on my server.
To disable SELinux:
vi /etc/sysconfig/selinux
SELINUX=disabled
You’re probably missing
chmod 755 /app
.It’s not sufficient to set the permissions on just the directories with the target files on them. You also need to set permissions on every parent directory back up to the root. For example, if you have a file
/app/lib/User/User.php
, then you will need to set the permissions on the fileUser.php
, the directory it’s in/app/lib/User
, and its parents/app/lib
and/app
. You can do this with the-R
recursive argument on chown/chmod or just specify multiple arguments:Note however, one of your most basic security tenets for a web server should be, "The user that the web server process runs as should not have write access to the files it serves." This will prevent attackers from being able to exploit vulnerabilities to create or change PHP files. Ideally, you want the files to be owned by an unprivileged user, and then set read-only to the web server. I.e., don’t
chown apache:apache
for them. Since you’re granting world-read, the files don’t have to (and shouldn’t) be owned by the Apache user. Instead use something likenobody:nobody
.