如何使apache2用户访问/ root目录中的文件？

Question

I am using Linux 12.04,apache and php is installed on it.I want to access a text file in /root/ folder.I am really confused with the permissions.The php script im using

<?php
$file = fopen("/root/cr.txt", "r") or exit("Unable to open file!");
//Output a line of the file until the end is reached

while(!feof($file))
  {
  echo fgets($file). "<br>";
  }

fclose($file);
?>

This script is able to access the file /var/www folder but not able to access /root/ip.txt file. Please help and explain step to step possible.

Answer 1

I will forget about the security implications of doing this and will go down to business:

If you have done ls -l /var/www and ls -l /root you would have noticed that both has different permissions:

$ ls -l /root/cr.txt total 2 -rw-r----- 1 root root 0 Jul 9 01:28 cr.txt $ ls -l /var/www total 2 -rw-r--r-- 1 www-data www-data 0 Jul 9 01:28 somefile

The /root is only readable for root, while /var/www is readable by www-data user. Now, if you check apache process you will notice that it's running using the www-data user.

$ ps aux | grep apache www-data 5133 0.0 0.2 6512 1208 ? R+ 10:04 0:00 apache

Now, you are trying to make apache running with the www-data user read the file. You can take three courses of action:

1.Move the file to /var/www and change it's permissions so www-data users can read it.

mv /root/cr.txt /var/www/
chown www-data:www-data /var/www/cr.txt

2.This is the preferable method.

Create a symlink to the file in the /var/www directory:

ln /root/cr.txt /var/www/

3.This won't ensure that your file is being read, in some cases.

This is dangerous and should not be done! Add the www-data user to the root group, or change the file ownership so it could be read by www-data users:

chown :www-data /root/cr.txt
## Or
sudo adduser www-data root

This shouldn't be done if you don't understand the risks!

Answer 2

First, it is generally a bad idea to give apache access to root. If you insist ...

Install ACL (Access Control List) Installing ACL

Then, assuming your apache server runs with 'apache2' for it's user and group, give the apache2 user and group access to directories/files:

setfacl -m "group:apache2:r-x" /root/whatever.file
setfacl -m "user:apache2:r-x" /root/whatever.file

# *** only need the next two lines if you plan on writing new files in the specified  directory.  It sets the default file permissions that will be used when the new file is created.
setfacl -d -m "group:apache2:r-x" /root
setfacl -d -m "user:apache2:r-x" /root

Change the rx permissions to whatever you need

Edit - potential solution without ACL

The following is untested and may require tweaking but should get you going in the right direction. USE AT YOUR OWN RISK!

Create a new group. The name can be anything but for this example I will call it 'wwwadmins' using groupadd

 groupadd wwwadmins

Add the root and apache2 users to this new group using usermod

 usermod -a -G wwwadmins root
 usermod -a -G wwwadmins apache2

Change the group owner on the file to the new group using chown

 chown :wwwadmins /root/whatever.file