Apache2 website permissions???

[Bosse_B]

I am setting up a configuration website on my RPi4 where I will host a web application through which the user can set up the system I am developing.

So far I have just worked on the code in a dir inside /home/pi and symlinked into /var/www/html/cgi-bin and seemingly it works.
My web app can send back webpages depending on posted data just fine.

But I also need to access some files (sqlite database for example) which needs write permissions so I started googling for info on this.
Now I am all confused, because on most webpages I have found they talk about the webpages and dirs as having www-data as both owner and group.
But on the default setup I have on my RPi4 it is just root:root.

Does Apache2 run as root in Raspbian rather than as www-data?

The display of my webpages work OK but as soon as my web app needs to access the sqlite database file I get a website error displayed.
So how can I let the web app executed by Apache2 access the sqilite database located outside of /var/www and also how can I let my web apps log their activity to a log dir also outside of /var/www?

If I run the web app manually as user pi from inside the development area it can access the sqlite database file just fine and also log to the log dir I have created.

PS: Running on RPi4B 4GB RAM with a fully updated Raspbian Buster DS

[topguy]

Does Apache2 run as root in Raspbian rather than as www-data?

I'm quite sure it should use www-data unless configured otherwise.

The command "ps -ef" ( or "ps aux" ) will list all processes on your system and show which user runs them in the first column.

[Bosse_B]

The command "ps -ef" ( or "ps aux" ) will list all processes on your system and show which user runs them in the first column.

Code: Select all

pi@rpi4-gui:/var/www $ ps aux |grep apache2
root       557  0.0  0.4 191652 16964 ?        Ss   Jan27   0:03 /usr/sbin/apache2 -k start
www-data  3488  0.0  0.1 191996  6536 ?        S    00:00   0:00 /usr/sbin/apache2 -k start
www-data  3489  0.0  0.1 191988  6528 ?        S    00:00   0:00 /usr/sbin/apache2 -k start
www-data  3490  0.0  0.2 192188  9812 ?        S    00:00   0:00 /usr/sbin/apache2 -k start
www-data  3491  0.0  0.1 191988  6516 ?        S    00:00   0:00 /usr/sbin/apache2 -k start
www-data  3492  0.0  0.1 191996  6560 ?        S    00:00   0:00 /usr/sbin/apache2 -k start
www-data  4063  0.0  0.1 191996  6480 ?        S    00:35   0:00 /usr/sbin/apache2 -k start
www-data 11653  0.0  0.1 191676  4444 ?        S    08:33   0:00 /usr/sbin/apache2 -k start

So there is one apache2 process running as root and then 7 more running as www-data
The files inside the default site look like this (there are more like those I show here):

Code: Select all

-rw-r--r-- 1 root root 10701 Nov  9 00:28 index.html
-rw-r--r-- 1 root root    21 Nov 21 11:29 phptest.php

In the cgi-bin dir (symlinked from the pi home dir):

Code: Select all

pi@rpi4-gui:/var/www $ ls -la html/cgi-bin/
total 1436
drwxr-xr-x 2 pi pi    4096 Jan 28 08:29 .
drwxr-xr-x 5 pi pi    4096 Jan 10 10:32 ..
-rwxr-xr-x 1 pi pi 1455632 Jan 28 00:41 getwebpage

This is my webapp binary, which works fine for rendering pages not needing data from the database, but errors out when it needs the sqlite access.
I found a thread at Askubuntu from May 2016 concerning file permissions in the Apache context.
But I have some difficulty following the arguing there...

But one advice seems to be to NOT symlink from the home dir, instead copy the files over into a new dir /var/www/mysite and then change the file permissions/owner to fit.
My problem is that I have a different location for the database, it sits at something like /monitor/config/monitorctrl.db3 and everything there is owned by pi...
I also have a log dir there: /monitor/log/ where I want my software to log its activity.
The main application sits in /usr/local/bin and has its workspace in /monitor/tasks/

I probably need to set permissions/ownerships for all of this to something workable....

[knute]

The permissions for apache can drive you crazy. The thing to remember is that apache runs as www-data and needs to be able to read HTML files. They can be owned by anybody as long as they are readable by www-data. Usually this means world readable. The directory /var/www/html is owned by root and often when people create files in that directory they have them owned by root. They can also be owned by pi, which makes it easier to edit them but pi can't create files in that directory. So you will need to sudo to create them.

cgi files are normally kept in /usr/lib/cgi-bin and the apache module cgid sets /usr/lib/cgi-bin as the directory to search for cgi files when you specify your server/cgi-bin/some.cgi. Your cgi files need to be executable by www-data so you can either have them owned by root and executable by everybody or have them owned by www-data and only executable by www-data. I definitely wouldn't use a link to my home directory to store my cgi files nor would I put them in a sub-directory of /var/www/html.

Your cgi programs will make calls to your database manager as www-data. I think that should just work. The database manager will read and write your database files and I think that should just work as well. I don't see any reason for permission issues there but that isn't something I am very familiar with.

[Bosse_B]

Thanks!
I will go over the whole deployment plan tomorrow and make changes to file permissions then.
Hopefully it will work.

I also need to make notes for duplication purposes, hopefully I can build myself a deb package to simplify installation on new systems.