1

I'm working on a virtual machine project where I use two servers, let's call them server A and server B, both with Ubuntu 14.04 LTS installed.

Server A runs web server Apache2 with a website where users can order Virtual Private Servers. Once the order process of the user is complete, the user clicks on a button which instantiates the following command with the PHP exec() function. 

ssh -p 22 [email protected] fallocate -l 2048M /home/john/images/guest.img 2>&1

This should create an image on server B where ultimately the user's Virtual Private server is created. Running previous command with user john works perfectly, but because the command is run via PHP, www-data is the user executing it.

As expected I get the following errors back:

array(3) {
  [0]=>
  string(36) "Permission denied, please try again."
  [1]=>
  string(36) "Permission denied, please try again."
  [2]=>
  string(39) "Permission denied (publickey,password)."
}

I know about the security risks of giving this user sudo rights to become a different user and execute the command as "john". So my question therefor is: is there any other way to do this operation without modifying www-data's permissions? I believe that SSH is the only way to create something on a remote server, or am I wrong?

I'm not going to run the website on server B to create these images locally, this is not what I want.

Is this script answered by this user worth trying? https://superuser.com/a/547577/514523

Improve this question
7
  • Just another question about that permission error - are you sure you are logged into the server? Can you see in the log that user john has logged in? How do you authenticate?
    – SPRBRN
    Commented Feb 2, 2016 at 20:14
  • Well, since the command is executed by www-data, it's that user that tries to ssh to server B. I get those permission denied errors because www-data does not have a password. If I log in with user john and execute that command, everything works fine.
    – Beeelze
    Commented Feb 3, 2016 at 8:26
  • So www-data cannot login to server B? But the login script uses 'john', not 'www-data'.
    – SPRBRN
    Commented Feb 3, 2016 at 11:33
  • I decided to create a cronjob that lets user 'john' ssh to server B. I haven't worked it out yet, but it will work for sure.
    – Beeelze
    Commented Feb 3, 2016 at 13:58
  • You could give www-data on server B a password to login, but I would not recommend it, with security in mind. So using 'john' is better.
    – SPRBRN
    Commented Feb 3, 2016 at 14:04

1 Answer 1

Reset to default
0

You should make www-data owner of /home/john/images, or add it to the john group while giving it proper write rights, or chmod that folder to 777.

Try this: 

chmod 777 /home/john/images/

Then you give anyone rights to that folder, including www-data.

That may be too much, so if this works you can limit rights. You could add www-data to the john group:

groups www-data
groups john
usermod -aG john www-data

First you see to which groups www-data and john belong. Then you add www-data to the john-group.

Now you have to limit the rights to that folder:

chmod 775 /home/john/images/
ls -al /home/john/images/

Now the user 'john' and all members of the group 'john' have write privileges.

Improve this answer
7
  • This does not do anything because I still need to SSH to server B.
    – Beeelze
    Commented Feb 2, 2016 at 12:58
  • see my updated answer
    – SPRBRN
    Commented Feb 2, 2016 at 14:16
  • Btw: it's much easier if you don't use 'user' as a username. Use 'john' or whatever, so it's clear it's a person's name. The word 'user' has two meanings here, and that's confusing.
    – SPRBRN
    Commented Feb 2, 2016 at 14:19
  • I'm sorry, I didn't want to use my own name there, but I guess it doesn't matter that much hehe. I'll try what you suggest.
    – Beeelze
    Commented Feb 2, 2016 at 14:24
  • I added www-data to the 'john' group, and changed rights of the /home/john/images/ folder but it does not have any effect. I think the problems lies that www-data may not ssh to server B just as 'john' is able to.
    – Beeelze
    Commented Feb 2, 2016 at 15:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .