cron Symfony2 to delete a file - symfony

I would like to create a cron that remove a file every 24hrs but it doesn't work for me !
emptyCache.php permission 755
rm -rf app/cache/*
I use for that a cron from OVH to do the job, I follow the process but the folder wasn't removed! My question is: is it the right command?

Here is an example of script which should work on a OVH hosting (Pro 2014), you don't need to use any PHP or Symfony2 file or command:
File: /homez.807/[my_login]/symfony2/launch_commands.php
#!/bin/bash
rm -rf /homez.807/[my_login]/symfony2/app/cache/*
It's simpler to put the full path of the directory you want to erase, but you can also use the cd command to change the directory then delete the sub-directory.
And here is the configuration in the OVH manager (see the Cron tab):
So the ./ is the root of you web hosting, corresponding to /homez.807/[my_login]/. Here are the two important options :
Script: we have to put the relative path (from the root of the web hosting) of the script: symfony2/launch_commands.sh
Language: Other because the script should be executed by the shell, not the PHP interpreter
Logs: you should enable logs in order to send the result of the cron task by email
Description: choose an explicit name

Related

SUID exploit and patch

I am working on a SUID root binary 'app' that runs a system("ls -la /dir") command and managed to exploit it by writing a malicious ls to get root and changing my user's environment path to set it to higher priority than the kernel's one.
I noticed that executing it as user returns me root shell while executing it with sudo "./example" uses root's path and simply lists the files in dir. As far as i know setuid inherits owner's (in this case root) privileges to user and sudo executes as root.
What are such vulnerabilities called ? How would an app developer patch it? I there any way i can force user's to use sudo ./app to execute a program?
I recommend you change app to use an absolute path for the commands it runs. For example:
system("/bin/ls -la /dir");
Even if the users use the sudo command to execute it, there are sudo arguments they can use (--preserve-env) to preserve their own PATH.
If you want the users to run app using sudo, then there's no need for the binary to be SUID root.

AWS beanstalk wordpress

I was trying to setting up my AWS beanstalk by following the implementation guide provided by AWS.
But when I got to the "Launch an Elastic Beanstalk Environment" section, this message appeared which basically said the app is not created.
Here's the message:
[Instance: i-088472611e1ef4405] Command failed on instance. Return
code: 1 Output: ln: failed to create symbolic link
'wp-content/uploads': No such file or directory. container_command
2link in wordpress-beanstalk/.ebextensions/efs-mount.config failed.
For more detail, check /var/log/eb-activity.log using console or EB
CLI.
Does anyone have the same problem or know how to resolve this?
Try changing the efs-mount to read the following, the directory clearly doesn't exist so lets just create it.
container_commands:
1chown:
command: "chown webapp:webapp /wpfiles"
2create:
command: "sudo -u webapp mkdir -p wp-content/uploads"
3link:
command: "sudo -u webapp ln -s /wpfiles wp-content/uploads"
2create will create the directory owned by the webapp user and should let you continue.
I just faced the same issue. I am going to assume deploying via the AWS console. That is how I started.
STEP 1: I checked if there was an actual directory wp-content/uploads in wordpress-beanstalk and there was not. It might get created on the first WP upload So, I created the folder, rezipped the application, and deployed to Beanstalk via the AWS Console.
I still received the same error and moved on to step 2
STEP 2: Run EB DEPLOY from the command line
from my local wordpress-beanstalk directory
eb init
choose region (if you already created your app should be this region)
if you already created application choose that wordpress-beanstalk for example
eb use name of your environment
eb deploy
I am not certain that Step 1 is related to Step 2, but was able to successfully deploy facing the same issue using EB CLI.
This is the mounting error of EFS .
EB is using EFS storage to store the wordpress files .
Please check the no.7 in documentation .
"Modify the configuration files in the .ebextensions folder with the IDs of your default VPC and subnets, and your public IP address."
Please edit the efs-create.config file inside the .ebextension folder.
A bit late here so for anyone else having this issue, it's caused when that directory does not exist. Here are some reasons this might happen:
1). WP has not created it - Check manually that it exists.
2). .gitignore - When a .ebignore file is not present, EB uses your .gitignore instead. This can cause the directory to not be uploaded with the EB deploy command. If this is the case, make a .ebignore, EB will start ignoring the .gitignore
3). Document root - If you have modified the document root, to something like /src you have to modify the efs-mount.config file.
##############################################
#### Do not modify values below this line ####
##############################################
container_commands:
1chown:
command: "chown webapp:webapp /wpfiles"
2link:
command: "sudo -u webapp ln -s /wpfiles src/wp-content/uploads"
Even though the file mentions not to modify it, you have to add your document root path in the 2link entry. Change wp-content/uploads to src/wp-content/uploads (replace src with your document root)
Finally, I would not include a command to automatically make this directory, as that only puts a band-aid on the problem.
Hope this helps

WordPress file permissions on CentOS7 requiring sudo

I'm running WordPress on my VPS with CentOS 7 LAMP stack.I've followed this guide to set permissions, i.e. I've run
sudo chown apache:apache -R *
to ensure that my wordpress directory is owned by apache:apache.
I've also set WordPress directory and file permissions with these commands:
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
(I had to prefix the above commands with sudo)
Normally I manage the server by logging in through SSH using myuser, where myuser belongs to the apache group and the wheel group.
I have 3 problems:
Any file CRUD command in the WordPress directory still requires me to prefix the command with sudo, or else I get a permission error. Since myuser belongs to apache and apache owns the directory, I'm confused as to why I still need to prefix the commands with sudo.
Similar to problem 1, any git command such as a git pull requires me to prefix the command with sudo or else I get a permission error.
When I try to automatically update theme files from my WordPress dashboard web interface, I get permission errors. Interestingly, I'm able to install/update plugins via the WordPress dashboard without any permissions errors.
Any ideas on what I'm missing?
Look at:What does mode_t 0644 mean?
644 means:
* (owning) User: read & write
* Group: read
* Other: read
CRUD is a write command, so you're not allowed to do that. Either you change to 664 or keep using sudo. Basically any writing procedure on the file system would not be allowed without sudo since your user is not the owner (event though he is in the group).
#fortuneRice, CentOS7 features selinux enabled by default, which is often the cause of many hard-to-understand file permission errors.
I would suggest the following:
Edit /etc/sysconfig/selinux
Change SELINUX=permissive (or whatever SELINUX is currently set to in the file) to SELINUX=disabled
Reboot your server (not just the apache web server, but the whole machine)
Disabling SELINUX completely is not a good idea, therefore if this procedure works, you should re-enable SELINUX and fix its configuration.
Configuring SELINUX can be a difficult task, so I suggest you read up on google how to do that :)
chown -R -f user:apache /path of the directory
I also faced that issue and solved this problem by changing the PHP handler.
it is important to use PHP Handler that will run as the file owner.
After I installed HTTP2 and another few features on the way, I changed the PHP handler.
I am running WHM/CPanel on my VPS, and I fixed my issue following these steps:
Under WHM > Software > EasyApache 4 > Customize
Look for the: mod_suphp under the Apache Modules tab and make sure it is enabled, and if you just turned it on to install, follow step two.
Go to the Review tab and click the Provision button to save.
Under Whm > Software > MultiPHP Manager look for PHP Handlers tab.
Choose suphp as the handler for the current PHP version.
That's it. It was the PHP handler.
Edit: I notice that suphp had a conflict with one of my user uploads directories that I am adding dynamically to images a watermark. It seems the suphp handler had permission to upload but doesn't show the pictures.
I also tried the lsapi for the PHP Handler, and it seems to work correctly with the file's permissions and attaching via the .htaccess file watermarks for images.

Symfony2 "Assetic:dump -env-prod" Permission denied Exception

Before i executed an update (composer.phare update) with the root user, every thing works fine, but now when i tries to run "Assetic:dump -env-prod" i get a "Permission denied" error
[Assetic\Exception\FilterException]
An error occurred while running:
'' '-jar' '/home/symfony/www/app/Resources/java/yuicompressor.jar' '--ch
arset' 'UTF-8' '-o' '/tmp/YUI-OUT-vbRlyu' '--type' 'css' '/tmp/YUI-IN-OoRVH
Q'
Error Output:
sh: 1: : Permission denied
Input:
meta.foundation-version{ ...
I tried all the solutions in this post Fontawesome fonts fail after assets:install and assetic:dump
clear the cache, chown, chgrp and chmod nothing worked always the same problem
One way to deal with file permissions when you are running a web based application which requires either auto deployment or constant manual updates like using bin/console from symfony2, its to make sure that the files belongs to the user under which your application runs.
As you did not provide environment settings, I will be making a few assumptions and provide you with a generic setup scenario, hopefully this will help guide you to the the best solution for your specific case.
Environment Assumptions:
OS: linux flavor;
Web server: nginx will be running as www-data;
PHP: php-fpm will running as testapp and using a socket connection for this application;
Generic set-up steps:
In the /etc/nginx/nginx.conf file, make sure that the user/group are set to www-data;
In the /etc/php5/fpm/pool.d/apptest.conf file, make sure that the user & group are set to testapp;
TIP: The file above might need to be created, if that's the case you should just copy the content of the www.conf file located in the same folder.
In the /etc/php5/fpm/pool.d/apptest.conf file, make sure listen.owner & listen.group are set to www-data;
Make sure that you have a line like the one below in this file /etc/php5/fpm/pool.d/apptest.conf:
listen = /var/run/php5-fpm.apptest.sock.
NOTE: the fpm.apptest.sock portion of that line above, its the name of a file that does not exist yet but will be created when you restart php. The benefit is that you will have an isolated php process for this application;
a) In the case on nginx and if you are using socket connections, make sure to add this line in your apptest conf file:
unix:/var/run/php5-fpm.apptest.sock;
b) If you are using apache add this line in that conf file:
-socket /var/run/php5-fpm.apptest.sock;
If you are on a linux box, create user with no password and it should be called, apptest.
Note: apptest is the name of your application, it will also be the user under which php will be running and it should also be the application files/folders owner.
Restart php and nginx/apache.
Tip: to change to a user in linux which has no password, you should have root privileges and run:
sudo -u apptest -i.
After this, you should perform all your commands as the apptest user previously created, including running the symfony2 bin/console.
These are very generic steps, so if you need any clarification, let me know.
I do not recommend to use root for updating. In my opinion the way to go is to have /app/logs /app/cache writable for the server and the src and vendor folder only readable for the server.
So lets say your user and group is: coolman, than try this:
# everything is yours
chown coolman:coolman -R .
# all and group can access folders and read files, you as user can additionally write them
chmod ag=rX,u=rwX -R .
# full access to logs and cache for everyone (also the server)
chmod a+rwX -R app/logs app/cache
You make your composer update with your coolman user.
There is only one small problem, too. The logs might be www-data:www-data rw-r--r-- so you cannot delete them. So just add a line to your app.php and your app/console file:
\umask(0000);
I think this line is commented out as default. This says, that if no explicit rights are set within PHP, than every file which is created will get 0777 - mask = 0777 so you can delete logs and cache then.

WordPress asking for my FTP credentials to install plugins

I installed a WordPress blog in my local system. But when I try to add plugins from admin it asks for FTP access. What do I need to configure for WordPress to be able to upload without FTP?
Try to add the code in wp-config.php:
define('FS_METHOD', 'direct');
If you are using Ubuntu.
sudo chown -R www-data:www-data PATH_TO_YOUR_WORDPRESS_FOLDER
"Whenever you use the WordPress control panel to automatically install, upgrade, or delete plugins, WordPress must make changes to files on the filesystem.
Before making any changes, WordPress first checks to see whether or not it has access to directly manipulate the file system.
If WordPress does not have the necessary permissions to modify the filesystem directly, you will be asked for FTP credentials so that WordPress can try to do what it needs to via FTP."
Solution:
In order to find out what user your instance of apache is running as, create a test script with the following content:
<?php echo(exec("whoami")); ?>
For me, it was daemon and not www-data. Then, fix the permission by:
sudo chown -R daemon /path/to/your/local/www/folder
If during installation of a plugin, Wordpress asks for your hostname or FTP details.
Then follow these steps:
Login to your server and navigate to /var/www/html/wordpress/.
Open wp-config.php and add this line after define(‘DB_COLLATE’)
define('FS_METHOD', 'direct');
If you get "Could not create directory" error. Give write permissions to your wordpress directory in recursive as
chmod -R go+w wordpress
NOTE. For security, revoke these permissions once you install a plugin as
chmod -R go-w wordpress
I changed the ownership of the wordpress folder to www-data recursively and restarted apache.
sudo chown -R www-data:www-data <folderpath>
It worked like a charm!
On OSX, I used the following, and it worked:
sudo chown -R _www:_www {path to wordpress folder}
_www is the user that PHP runs under on the Mac.
(You may also need to chmod some folders too. I had done that first and it didn't fix it. It wasn't until I did the chown command that it worked, so I'm not sure if it was the chown command alone, or a combination of chmod and chown.)
I did a local install of WordPress on Ubuntu 14.04 following the steps outlined here and simply running:
sudo chown -R www-data:www-data {path_to_your_project_directory}
solved my issue with downloading plugins. The only reason I'm leaving this post here is because when I googled my issue, this was one of the first results and it led me to the solution to my problem.
Hope this one helps to anyone!
There's a lot of similar responses to this question, but none of them fully touch on the root cause. Sebastian Schmid's comment on the original post touches on it but not fully. Here's my take as of 2018-11-06:
Root Cause
When you try to upload a plugin through the WordPress admin interface, WordPress will make a call over to a function called "get_filesystem_method()" (ref: /wp-admin/includes/file.php:1549). This routine will attempt to write a file to the location in question (in this case the plugin directory). It can of course fail here immediately if file permissions aren't setup right to allow the WordPress user (think the user identity executing the php) to write the file to the location in question.
If the file can be created, this function then detects the file owner of the temporary file, along with the file owner of the function's current file (ref: /wp-admin/includes/file.php:1572) and compares the two. If they match then, in WordPress's words, "WordPress is creating files as the same owner as the WordPress files, this means it's safe to modify & create new files via PHP" and your plugin is uploaded successfully without the FTP Credentials prompt. If they don't match, you get the FTP Credentials prompt.
Fixes
Ensure the plugin directory is writable by the identity running your php process.
Ensure the identity that is running your php process is the file owner for either:
a) All WordPress application files, or...
b) At the very least the /wp-admin/includes/file.php file
Final Comments
I'm not overly keen on specifically applying file ownership to the file.php to work around this issue (it feels a tad hacky to say the least!). It seems to me at this point that the WordPress code base is leaning towards having us execute the PHP process under the same user principal as the file owner for the WordPress application files. I would welcome some comments from the community on this.
From the first hit on Google:
WordPress asks for your FTP credentials when it can't access the files
directly. This is usually caused by PHP running as the apache user
(mod_php or CGI) rather than the user that owns your WordPress files.
This is rather normal in most shared hosting environments - the files are stored as the user, and Apache runs as user apache or httpd. This is actually a good security precaution so exploits and hacks cannot modify hosted files. You could circumvent this by setting all WP files to 777 security, but that means no security, so I would highly advise against that. Just use FTP, it's the automatically advised workaround with good reason.
For me the the process that solved, to be able to work on my localhost using Ubuntu, was:
(of course you must replace myUser by your user, whoami show it for you if you dont know)
Include myself on www-data group (to be able to access and edit files without sudo):
sudo usermod -aG www-data myUser
Set myself and this group as files owners:
sudo chown -R myUser:www-data /var/www/html
Set a major permission for the group (the group must write too):
sudo find . -type f -exec chmod 664 {} \;
sudo find . -type d -exec chmod 775 {} \;
Then add this line on config.php
define('FS_METHOD', 'direct');
The easiest way to solve this problem is add the following FTP information to your wp-config.php
define('FS_METHOD', 'direct');
define('FTP_BASE', '/usr/home/username/public_html/my-site.example.com/wordpress/');
define('FTP_CONTENT_DIR', '/usr/home/username/public_html/my-site.example.com/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/usr/home/username/public_html/my-site.example.com/wordpress/wp-content/plugins/');
FTP_BASE is the full path to the "base"(ABSPATH) folder of the WordPress installation
FTP_CONTENT_DIR is the full path to the wp-content folder of the WordPress installation.
FTP_PLUGIN_DIR is the full path to the plugins folder of the WordPress installation.
We had the same problem as part of a bigger problem. The suggested solution of
define('FS_METHOD', 'direct');
hides that window but then we still had problems with loading themes and upgrades etc. It is related to permissions however in our case we fixed the problem by moving from php OS vendor mod_php to the more secure php OS vendor FastCGI application.
First move to your installation folder (for example)
cd /Applications/XAMPP/xamppfiles/
Now we’re going to modify your htdocs directory:
sudo chown -R daemon htdocs
Enter your root password when prompted, then finish it out with a chmod call:
sudo chmod -R g+w htdocs
I was facing the same problem!
I've added the code below in wp-config.php file (in any line) and it's working now!
define('FS_METHOD', 'direct');
define('FS_METHOD', 'direct');
Add this to wp-config.php
If the issue still persist , you can try setting permission of plugin folder to 755
Or in linux you can set it by this command
Chmod -R 755
As mentioned by Niels, this happens because the server process user can't write to the Wordpress folder.
But here's the thing a lot of articles don't explain. It's the owner of the php process, not the nginx process. If you try to change the nginx owner, it won't solve this.
To solve it, try running ps aux to see which user owns the php-fpm process. Then check that user is the same user as the owner of the wordpress folder, or can at least write to it. If the user can't write to it, you'll need to change permissions and/or ownership of the folder; or put the two users (server owner and wordpress folder owner) in a common group which can write to the folder; or change php.ini "user" property to a user that can write to the folder.
Changing the ownership of the files worked but only after I logged out of my wordpress website and logged in again. I also restarted the Apache server, but that may not be necessary.

Resources