I don't understand the difference between composer running as root vs non-root user. Whatever user you run as, you must have to give write access to the main dir where composer stores its assets like vendor, scripts, composer.json and composer.lock.
E.g in my case, my dir structures are like below:-
.test
|-scripts
|-composer.json
|-scripts
|-webroot
|-.env
Say I am running as non-root user, But I must need to give that user to rwx to test dir so that whenever I run composer install it can create vendor, composer.lock and read scripts and execute it inside test dir.
But once you give rwx it can create any malicious script inside it or may access my env file. So how does it matter if you run as root or non-root ?
After spending some more time, I got to know that as composer is a cli script it uses PHP-CLI not PHP-FPM interpreter. PHP-CLI & PHP-FPM both are different thing. Web Server talks to PHP-FPM not to PHP-CLI. So whenever we call composer the composer process is owned by the PHP-CLI owner.
So webroot should be owned by the PHP-FPM owner to make a website work, where composer.json, vendors etc should be owned by the PHP-CLI owner. Both user should be different. Infact test dir should be writable by PHP-CLI owner and not writable by PHP-FPM process owner. Often PHP-FPM is run as owner www-data
Related
I've newly started to use Laradock to build my Laravel projects but I have a problem in editing the files such as Controllers, Models, etc which are made by the php artisan command in the Laradock workspace. The reason is the user in the workspace is a root and on the other side, I'm trying to edit the file in my editor by a common user. So every time I have to run the command chmod -R 777 /newCreatedFile.php to change the permission. So is there any solution to handle this problem?
By the way my OS is ubuntu 18.04
In the Laradock Getting Started guide, it explains how to get Laradock running as a specified user:
Note: You can add --user=laradock to have files created as your host’s user. Example:
docker-compose exec --user=laradock workspace bash
I believe this should solve your issue, as you will no longer have the Docker user running these commands. Try it out!
Note: The core issue may just be that whatever user Laradock is running as is not creating files with group permissions that allows the host machine's user write capabilities, hence why the --user flag can be used. It may not actually be running as the root user itself.
I am having a hard time trying to figure out the issue.
I am creating a Model using this Artisan command,
Artisan::call('make:model',['name' =>'Models\\'.$module.'\\'.$model_name]);
For whatever reasons,
1.there is a lock icon in the file
2.owner of the file is www-data
3.the permission for the file is 644 but when I create the Model from CLI the permission of the file is 757.
It all depends who runs the code, in this case web-server runs the code, thus Apache or NGINX is the owner of newly created file (same goes for uploads).
You can change this using
umask
change user/group of web-server
Best option is to use artisan as its meant to be used, from command line.
I'm new to Laravel and I find this framework awesome.
Artisan is also great but a have a little problem using it.
Let's say that I create a new Controller with Artisan like this
php artisan make:controller Test
There will be a new file in app/Http/Controllers named Test and the permission on this file will be root:root
When I want to edit this file with my editor over ftp I can't because I'm not logged as root.
Is there any ways to tell Artisan to create files with www-data group for example (without doing an chown command) ?
Since you have root shell access, the following command will execute another one using the www-data user-
sudo -u www-data php artisan make:controller Test
Replace www-data with whatever the username your web server operates under, or the username you login to the FTP service with.
When you do this, the controller will be owned by www-data, which is what you want.
Note: do not ever run commands copy-pasted from the internet without knowing exactly what they do, especially in a root shell.
In this case, the -u parameter tells sudo to execute the command as a specific user, not as the root user.
From the manpage:
-u user, --user=user
Run the command as a user other than the default target user (usually root ). The user may be
either a user name or a numeric user ID (UID) prefixed with the ‘#’ character (e.g. #0 for UID
0). When running commands as a UID, many shells require that the ‘#’ be escaped with a backslash
(‘\’). Some security policies may restrict UIDs to those listed in the password database. The
sudoers policy allows UIDs that are not in the password database as long as the targetpw option
is not set. Other security policies may not support this.
I know this is a really old post but I'd also really advise anyone agains editing your Laravel files over FTP. I used to do this in my pre-Laravel days and it NEVER ended well.
Editing over FTP can have all kinds of problems- dropping connection mid-edit being the least of them. Security and live development errors being a much larger concern.
Develop on your local or dev environment, commit/push to git, then either pipeline to your server or handle your FTP uploads and cleanup after the fact. Pipelines are your best bet if your host will allow them. We use Atlassian BitBucket for ours but the set-up and deployment should be relatively similar for most hosts. Check with your host for documentation on their pipeline set-up:
https://www.atlassian.com/continuous-delivery/tutorials/bitbucket-pipelines
There's also some tutorials online for pipelining straight to FTP (if on a shared host, say):
https://www.savjee.be/2016/06/Deploying-website-to-ftp-or-amazon-s3-with-BitBucket-Pipelines/
It is because you ran a command from root user, try to run the command from the user which you using for edit the project via ftp.
I have composer installed globally on my server.
I have several different domains/accounts on this server.
As root i can ssh onto the server an can use composer to update packages.
However every packages then has the owner and user of root:root.
When i log in as the account owner I then have insufficient rights to access any of the packages if i need to alter something inside the package.
Is there any way to run composer update and set the user/owner to the account holder other than setup ssh on a per account level?
Many thanks.
I'd say that if you need to be root to deploy software, then you are doing something wrong.
Composer is no deployment tool, it's a dependency manager. And that's what it does: It will download the required software packages and unzip them to the file system - as the user account that is running the install command.
If you want to change that, you have several options, amongst them things like:
su
sudo
set group id flag on the directory (chmod g+s)
collect the files outside the server and put them into place via SCP/SFTP/FTPS as the correct user
not change the dependencies' code as that user, only configuration files
... etc.
I've installed Symfony on Mac Os X and do:
chmod -R 777 app/cache app/log
Try do this:
php app/console cache:clear
And get back error:
[RuntimeException]
Unable to write in the "/Users/anton/Sites/local/Symfony/app/cache/dev" directory
Try to fix it! Thanks!
If you are on Mac you can use ACL as it is explained here.
From the project directory:
sudo chmod +a "_www allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
sudo chmod +a "whoami allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
_www in the first line is the name of which is running the web server
You have to change whoami in the second line as it is you when you type php app/console cache:clear. (usually the name of your home folder)
Apparently your web server (apache?) already created some files or dirs in the cache folder (so they are owned be the web servers user, probably www-data). In this case a chmod isn't enough, you have to execute a chown -R anton app/cache app/log.
To avoid the general problem of different owners of different cache files, your console user and the user executing php for the web server should be the same. There are different ways to accomplish this. You could:
Change your apache configuration, so the apache runs with your user (anton) rather than www-data
Drop mod_php and use php5-fpm instead (and configure it to use your user)
Use fast_cgi