Open mave-git opened 1 year ago
Which is the user running PHP inside my_webapp?
The user would be my_webapp
if you have only one instance of the app. Otherwise, check its ID from the webadin.
Thanks. Never mind. I've installations of the CMS in my_webapp, my_webapp__2, my_webapp3. In everyone of these it doesn't work. Should be the user not be "mywebappx" based on the app installation?
Add: "check its ID from the webadin." ???
That's what I was implying. The user should be my_webapp__2
for the second instance, and so on. The PHP config is correct for that, cf. the conf
directory of this repo.
The user does have write access to its www
directory.
I have just tried running a simple php script from the command line, that writes a new file, and it works. :/
... a miracle ;-) I'm not a php programmer. Could you give me this simple script for testing on my system?
Shameless copy-paste from: https://linuxhint.com/write-file-php/
Create a new php file test.php
with the following contents, in /var/www/my_webapp/www/
:
<?php
//Define the filename
$filename = "newfile1.txt";
//Print the file content
echo "<h3>The content of the file before update:</h3>";
echo [file_get_contents](http://www.php.net/file_get_contents)($filename);
//Open the file for reading
$file_handler = [fopen](http://www.php.net/fopen)($filename, 'a+');
//Check the file handler is created or not
if(!$file_handler)
//Print the error message
[die](http://www.php.net/die)("The file can't be open for writing<br />");
else
{
//Write the particular content in the file
$data = "This is the second line of the file.<br />";
[fwrite](http://www.php.net/fwrite)($file_handler, $data);
//Close the file
[fclose](http://www.php.net/fclose)($file_handler);
//Print the success message
echo "<p style='font-size:20px;color:blue'>The file is updated with the content.</p>";
}
//Print the file content
echo "<h3>The content of the file after update:</h3>";
echo [file_get_contents](http://www.php.net/file_get_contents)($filename);
?>
Run it either by opening it in the browser or by running the command line: sudo -u my_webapp php8.0 -f /var/www/my_webapp/www/test.php
.
Test both ways and delete newfile1.txt
between attempts, as the CLI might have different rights than FPM (via the browser).
Will do it (later). Thanks!
Uuups ... ;-)
root@freiesachen:/var/www/my_webapp__3/www# sudo -u my_webapp__3 php8.0 -f /var/www/my_webapp__3/www/test.php
PHP Parse error: syntax error, unexpected token "if" in /var/www/my_webapp__3/www/test.php on line 11
root@freiesachen:/var/www/my_webapp__3/www# sudo -u my_webapp__3 php7.4 -f /var/www/my_webapp__3/www/test.php
PHP Parse error: syntax error, unexpected ':', expecting ')' in /var/www/my_webapp__3/www/test.php on line 7
root@freiesachen:/var/www/my_webapp__3/www#
Seems to be another trouble. Tried php 8.0 and 7.4, pasted the code exactly. Additionally sorry: I forgot to mentioned: the problem caused for a modul that writes in a hidden subdir:
drwxr-xr-x 3 my_webapp__3 my_webapp__3 4096 Feb 7 21:36 .
drwxr-xr-x 14 my_webapp__3 www-data 4096 Feb 7 21:55 ..
-rw-r--r-- 1 my_webapp__3 my_webapp__3 0 Feb 7 21:35 .empty
drwxr-xr-x 3 my_webapp__3 my_webapp__3 4096 Feb 7 21:36 **.news_img**
inside ==>
drwxr-xr-x 3 my_webapp__3 my_webapp__3 4096 Feb 7 21:36 .
drwxr-xr-x 3 my_webapp__3 my_webapp__3 4096 Feb 7 21:36 ..
-rw-r--r-- 1 my_webapp__3 my_webapp__3 425 Feb 7 21:36 index.php
drwxr-xr-x 2 my_webapp__3 my_webapp__3 4096 Feb 7 21:36 thumb
A member of the WBCE CMS forum asked me, if there is a problem with hidden directories (?)
So, I created based on above/linuxhint.com/write-file-php this one:
<?php
//Define the directory
$subdir = "media/.news_img/99";
$dir_handler = file_exists($subdir);
if(!$dir_handler)
mkdir($subdir);
//Define the filename
$filename = "$subdir/newfile1.txt";
//Open the file for reading
$file_handler = fopen($filename, 'w');
//Check the file handler is created or not
if(!$file_handler)
//Print the error message
die("The file can't be open for writing<br />");
else
{
//Write the particular content in the file
$data = "This is the first line of the file.<br />";
fwrite($file_handler, $data);
//Close the file
fclose($file_handler);
//Print the success message
echo "<p style='font-size:20px;color:blue'>The file is created with the content.</p>";
//Print the file content
echo "<h3>The content of the file after creation:</h3>";
echo file_get_contents($filename);
}
?>
Worked on the hidden directory. Seems to be a problem on CMS-side. ;-) Thanks for your support until now!
So, the origin problem changed ;-), look:
In communication with the WBCE developer I tried debugging the code on this behaviour. Nothing to see, but. I created two exactly same installations: Yunohost: oejv-bayern.freiesachen.de and on Hetzner Webspace: nwi.mvtool.de (Apache!) On Test-Site on Yunohost-Server and my_webapp__3 all pictures are placed at correct location but if calling them, it runs in 403 forbidden. Example: https://oejv-bayern.freiesachen.de/media/.news_img/test02.jpg.
The same file on nwi.mvtool.de: https://nwi.mvtool.de/media/.news_img/test02.jpg
Conclusion: Thoughts about wrong file writing seems to be not correct. Could be a nginx-thing: files written by scripts maybe run in this error. Files written via SFTP in may_webapp__x are okay. So, is it a nginx-configuration of Yunohost or the sub-parts in my_webapp ???
News: The problem seems to be narrowed down: within my_webapp access to a hidden directory generates a 403 error. That's a configuration thing inside nginx. Where: Yunohost global or my_webapp additions?
Found the "issue" in case of my system WBCE: my_webapp blocks hidden fiels and folders. I found this in the app-nginx config (/etc/conf.d/domain.tld.d/my_webapp[__x].conf)
# Deny access to hidden files and directories
location ~ ^__PATH__/(.+/|)\.(?!well-known\/) {
deny all;
}
What's the reason for this decision?
Great investigation! :) Pinging @YunoHost-Apps/apps-group for more insights, but I guess it's because hidden files are meant to be... hidden. 😛
You want to circumvent that, either configure the CMS to rely on a non-dotted directory, or change the block you quoted with:
# Deny access to hidden files and directories
location ~ ^__PATH__/(.+/|)\.(?!well-known\/|news_img\/) {
deny all;
}
The original commit doesn't say much about this: https://github.com/YunoHost-Apps/my_webapp_ynh/commit/1e98b92d70fba3b11dab75c2c039cce4a4a0b906
But I could see one motivation, which is that people could be tempted to git clone
some repo, and sometimes the remote may contain a token (for example to be able to git pull which more and more requires authentication) - or the git history could contain secrets etc. More generally, any hidden folder may be thought as a safe way to store secret etc...
Dunno if that's a good enough motivation but that's my 2 cents ;P
Thanks for your comments! I talked to the developer of the CMS WBCE and the specific module has its reason using a hidden folder. And Yunohost/my_webapps has its own reasons. Crashing motivations ;-). The code above is known, but will renewed when my_webapp is updating - or? I saw the automatic including *.conf-files from /etc/nginx/conf.d/DOMAIN.LTD.d/ and tried a nginx command inside an additionally file to overwrite the standard blocking of hidden files/folders. But this does not work yet. So, maybe creating an new ynh-package for this CMS, using its own nginx-controlling ... ;-)
Check out the hooks system from our documentation. A hook script can be triggered whenever your webapp is upgraded so that its nginx conf file is always set to your liking.
How to post a meaningful bug report
Describe the bug
Trying using the WBCE CMS. Installing works. But a module needs to write files and creates own subdirs. File writung is okay, creating subdirs not. And: Reading the files gives a 403 forbidden nginx error.
Context
Steps to reproduce
Expected behavior
All files written by SFTP are okay, only problems on files and subdirs (tried) written by the CMS.hown/chmod was checked, everything is my_webapp__X:www-data and/or 0644/755.
Logs
;-( PHP-Log shows no error, when it happens.
Short: Which is the user running PHP inside my_webapp? Where are modifications to make, the PHP-Srcrpts are allowed creating subdirs and so on?