Linux PHP create file permissions denied_问答_开发者

Linux PHP create file permissions denied

开发者 https://www.devze.com 2023-02-22 16:01 出处：网络

I am working on Ubuntu and trying to get a PHP script working that will allow the user to input a Youtube video URL, and the script will download the flv and convert it using youtube2mp3 (which I found here: http://hubpages.com/hub/Youtube-to-MP3-on-Ubuntu-Linux ). I have been getting errors which I'm sure are permissions based, and I would like to know the best and most secure way to correct them. Right now I'm calling

echo system("youtube-dl --output=testfile.flv --format=18 $url");

just to try and get the downloading portion working. What shows up on the following page is

[youtube] Setting language
[youtube] xOMEi2g_oEU: Downloading video webpage
[youtube] xOMEi2g_oEU: Downloading video info webpage
[youtube] xOMEi2g_oEU: Extracting video information
[youtube] xOMEi2g_oEU: Extracting video information

before showing the rest of my (irrelevant) output. In the apache error log, I'm getting

ERROR: unable to open for writing: [Errno 13]
    Permission denied: u'testfile.flv.part'

which is obviously indicative of a permissions issue. Do I have to chown the directory in question to www-user? Is that secure? Or should I chmod the directory instead? Eventually I will be putting this on a public facing server and I don't want any vuln开发者_运维问答erabilities in my implementation. Any and all advice and answers are greatly appreciated!

This is running as the user running the php process so two things:

Make sure this user has access to the directory you are writing your testfile out to. I would specify a path that is isolated and not part of the web server directory structure which it appears to be doing now
Is $url coming from user input? If it is I would then use escapeshellcmd on the entire string to ensure there isn't the random rm -rf * command in there.

chown can be used only by a superuser so if it's convenient you can use it, but servers don't normally run as superusers so I would go for chmod.

Both of @Wes's suggestions are worth following; you don't want some goofball to supply an url like ||nc -l 8888 | sh & and log in to your system a second later.

I strongly recommend confining your configuration with a tool such as AppArmor, SElinux, TOMOYO, or SMACK. Any of these mandatory access control tools can prevent an application from writing in specific locations, executing arbitrary commands, reading private data, etc.

As I've worked on the AppArmor system for a decade, it's the one I'm most familiar with; I believe you could have a profile for your deployment put together in half a day or so. (It'd take me about ten or fifteen minutes, but like I said, I've been working on AppArmor for a decade. :)