skip to Main Content

I have a php file within /var/www/html that is called from the client side, and within this php file I require a file from a directory I created and called /app/lib/ where all of my custom libraries and classes reside.

However, every time the endpoint is hit, I get the following PHP warning & error:

PHP Warning: require(/app/lib/User/User.php): Failed to open stream: Permission denied

PHP Fatal error: Uncaught Error: Failed opening required ‘/app/lib/User/User.php’ (include_path=’.:/usr/share/pear:/usr/share/php’)

My server OS is centOS

Currently, the permissions on the /app/lib directory are apache:apache, with permissions on all directories set to 755, and the php files being set to 644.

I am not sure what else I am missing, so if anyone has any insight, I would greatly appreciate the help

2

Answers


  1. Chosen as BEST ANSWER

    This is for anyone dealing with the same issue.

    ÁlvaroGonzález's comment helped me figure this out, but the root of the issue was SELinux which runs on centOS by default.

    In order to fix my issue I disabled SELinux, which I do not recommend, you should research SELinux before you decide to disable it, but I feel comfortable doing so on my server.

    To disable SELinux:

    1. vi /etc/sysconfig/selinux
    2. Set SELINUX=disabled
    3. Restart the server (not apache)

  2. You’re probably missing chmod 755 /app.

    It’s not sufficient to set the permissions on just the directories with the target files on them. You also need to set permissions on every parent directory back up to the root. For example, if you have a file /app/lib/User/User.php, then you will need to set the permissions on the file User.php, the directory it’s in /app/lib/User, and its parents /app/lib and /app. You can do this with the -R recursive argument on chown/chmod or just specify multiple arguments:

    chmod 644 /app/lib/User/User.php
    chmod 755 /app /app/lib /app/lib/User
    

    Note however, one of your most basic security tenets for a web server should be, "The user that the web server process runs as should not have write access to the files it serves." This will prevent attackers from being able to exploit vulnerabilities to create or change PHP files. Ideally, you want the files to be owned by an unprivileged user, and then set read-only to the web server. I.e., don’t chown apache:apache for them. Since you’re granting world-read, the files don’t have to (and shouldn’t) be owned by the Apache user. Instead use something like nobody:nobody.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search