When calling fopen in PHP, I get permission denied error only from Apache

Posted on

Problem :

I’m getting permission denied on fopen() call, but only if executing PHP script from Apache.

  • I have tried checking and double checking permissions, even tried setting 777 on both file being written and directory containing the file.
  • selinux is ‘Disabled’.

The line encountering the error is:

$logfile = fopen('/var/log/httpd/shib_session_logs/'.$filename,'a+');

And the error from /var/log/httpd/error_log is:

[Sun May 31 21:33:40.012053 2020] [php7:warn] [pid 30107:tid 140627505252096] [client 10.0.1.206:39032] PHP Warning:  fopen(/var/log/httpd/shib_session_logs/session_log_202061.log): failed to open stream: Permission denied in /var/www/html/shib/logwritter.php on line 9, referer: https://aiqsso.awsapps.com/start

Finally, if I run at command line, without Apache being involved, it works fine.

This works:

php index.php

Help?

Adding info:

Here is the /etc/httpd/conf.d/php.conf file:

#
# The following lines prevent .user.ini files from being viewed by Web clients.
#
<Files ".user.ini">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
        Satisfy All
    </IfModule>
</Files>

#
# Allow php to handle Multiviews
#
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

# mod_php options
<IfModule  mod_php7.c>
    #
    # Cause the PHP interpreter to handle files with a .php extension.
    #
    <FilesMatch .(php|phar)$>
        SetHandler application/x-httpd-php
    </FilesMatch>

    #
    # Uncomment the following lines to allow PHP to pretty-print .phps
    # files as PHP source code:
    #
    #<FilesMatch .phps$>
    #    SetHandler application/x-httpd-php-source
    #</FilesMatch>

    #
    # Apache specific PHP configuration options
    # those can be override in each configured vhost
    #
    php_value session.save_handler "files"
    php_value session.save_path    "/var/lib/php/session"
    php_value soap.wsdl_cache_dir  "/var/lib/php/wsdlcache"

    #php_value opcache.file_cache   "/var/lib/php/opcache"
</IfModule>

Let me know if you need anything else.

Solution :

Ok, I figured this out.

The main httpd log directory, /var/log/httpd, and all the logs in that directory are owned by root. But, those are the logs that httpd itself writes.

Apparently, the files read/written by PHP are under the auspices of the apache User and Group, as specified in /etc/httpd/conf/httpd.conf

User apache
Group apache

I chown‘ed the log file and directory that the log file is in, /var/log/httpd/shib_session_logs, to apache:apache. That didn’t quite solve the problem though, because the directory that hold the PHP log files, /var/log/httpd/shib_session_logs, was itself in a directory, /var/log/httpd, that had root only access. So, I was still getting permission denied. When I relaxed read permissions on that directory, everything started working.

I’ll be discussing this with some folks here, and ultimately, we’ll probably move the PHP log directory to another location, outside of /var/log/httpd, and reset the permissions on /var/log/httpd to 700.

Anyhow, it works!

Leave a Reply

Your email address will not be published.