P
P
PQR2015-02-18 13:17:27
Samba
PQR, 2015-02-18 13:17:27

How to properly mount cifs (ubuntu 14.04) with write access for nginx/php (www-data)?

I have some kind of vicious circle, I can’t google the answer for the second day.
Given:

  • There is a network NAS based on some kind of Linux, which distributes the folder as a shared windows folder - write access for everyone
  • This network folder is perfectly visible and writable for windows desktop clients
  • I am setting up Ubuntu Server 14.04 on which the web application will run under nginx + php-fpm - the most common settings are run under the www-data user

Challenge: A
PHP web application sometimes needs to create subfolders and files inside the same shared folder on the NAS. For example, writing files using file_put_contents.
On the other hand, I want to also have write access to this shared folder while sitting on the ubuntu server via ssh under my user (I will sometimes manually run all sorts of scripts that will write there).
I try to solve
Attempt number 1:
I write the following line in /etc/fstab:
//192.168.20.115/filesfolders$ /mnt/filesfolder cifs user=guest,pass=,iocharset=utf8,dir_mode=0777,file_mode=0777,sec=lanman 0 0

Pay attention to the dir_mode=0777,file_mode=0777 options - every second answer on stackoverflow is about them, that it's worth adding them and everything will work by itself! (ha ha) I
mount $ sudo mount -a
Let's check how it was mounted:
$ cat /etc/mtab
//192.168.20.115/filesfolders$ /mnt/filesfolder cifs rw 0 0

Let's see what rights the folder got:
$ ls -ld /mnt/filesfolder/
drwxrwxrwx+ 28 nobody nogroup 0 февр. 18 11:40 /mnt/filesfolder/

It seems that there is write access for everyone: drwxrwxrwx. Let's try to write a new file:
$ echo "hello" > /mnt/filesfolder/1.txt
-bash: /mnt/filesfolder/1.txt: Permission denied

But why?
Interestingly, the file itself was created, but it is empty:
$ ls -l /mnt/filesfolder/1.txt
-rwxr--r--+ 1 nobody nogroup 0 февр. 18 11:40 /mnt/filesfolder/1.txt

Let's check if I can write files from a web application? We write a php script that will be launched when entering the page
<?php
file_put_contents('/mnt/filesfolder/test_from_php.txt', 'Hello from PHP');

Open 192.168.20.149/test.php in a browser (this is my ubuntu server running nginx+php-fpm where we are actually trying to mount) and get:
Warning: file_put_contents(/mnt/filesfolder/test_from_php.txt): failed to open stream: Permission denied in /usr/share/nginx/html/test.php on line 2

Those. there is no write access from the script either :(
If we look in the console, we will find that the file has been created, only it is empty - I don’t understand this at all
$ ls -l /mnt/filesfolder/test_from_php.txt
-rwxr--r--+ 1 nobody nogroup 0 февр. 18 11:56 /mnt/filesfolder/test_from_php.txt

Attempt number 2:
Googled, found out that you need to specify uid and gid when mounting cifs balls.
Let's try. First, let's find out my uid and gid.
$ whoami
ad
$ id ad
uid=1000(ad) gid=1000(ad) groups=1000(ad),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),112(lpadmin),113(sambashare)

Found out: I am an ad user and my primary group is ad
First unmount: $ sudo umount -l /mnt/filesfolder
Then change fstab: $ sudo nano /etc/fstab
//192.168.20.115/filesfolders$ /mnt/filesfolder cifs user=guest,pass=,iocharset=utf8,uid=ad,gid=ad,dir_mode=0777,file_mode=0777,sec=lanman 0 0

Mount again: $ sudo mount -a
Look at the folder:
$ ls -ld /mnt/filesfolder/
drwxrwxrwx+ 28 ad ad 0 февр. 18 11:56 /mnt/filesfolder/

Now the owner has become ad/ad (it used to be nobody/nogroup)
Writing a new file to the folder worked:
$ echo "hello" > /mnt/filesfolder/2.txt
$ ls -l /mnt/filesfolder/2.txt
-rwxr--r--+ 1 ad ad 6 февр. 18 12:05 /mnt/filesfolder/2.txt

Let's try our php script through the browser (I first delete the old empty test.txt using the windows machine):
Open the browser 192.168.20.149/test.php and see the old familiar message:
Warning: file_put_contents(/mnt/filesfolder/test_from_php.txt): failed to open stream: Permission denied in /usr/share/nginx/html/test.php on line 2

In this case, the test_from_php.txt file is created:
$ ls -l /mnt/filesfolder/test_from_php.txt
-rwxr--r--+ 1 ad ad 0 февр. 18 12:07 /mnt/filesfolder/test_from_php.txt

and now for some reason its owner is ad/ad
By the way, I should check that my nginx+php-fpm work as www-data, for this I write such a simple php script and open it in the browser:
<?php
print exec('whoami')

Displays text in the browser: www-data
It turns out that I can now write to this shared folder from the console, but my web application still cannot.
Attempt number 3:
Unmount, change fstab, specifying uid=www-data,gid=www-data, mount reversely, check:
$ ls -ld /mnt/filesfolder/
drwxrwxrwx+ 28 www-data www-data 0 февр. 18 12:07 /mnt/filesfolder/

We try to write the file through the console - again a failure (as in attempt number 1, but I don’t understand why, because the rights to the drwxrwxrwx folder)
$ echo "hello" > /mnt/filesfolder/3.txt
-bash: /mnt/filesfolder/3.txt: Permission denied
$ ls -l /mnt/filesfolder/3.txt
-rwxr--r--+ 1 www-data www-data 0 февр. 18 12:15 /mnt/filesfolder/3.txt

But the php script through the browser will not show any errors and the test_from_php.txt file is written successfully!
$ ls -l /mnt/filesfolder/test_from_php.txt
-rwxr--r--+ 1 www-data www-data 14 февр. 18 12:16 /mnt/filesfolder/test_from_php.txt
$ cat /mnt/filesfolder/test_from_php.txt
Hello from PHP

Attention, the question is:
How can I mount a folder so that I can write to it from the console and from a web application that is under the www-data user?
And why, in the experiments above, do I have problems writing to a folder at all, if it looks like drwxrwxrwx - i.e. writable by all users of all groups?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
P
PQR, 2015-02-18
@PQR

I read this manual linux.die.net/man/8/mount.cifs and added the noperm parameter to the mount options in /etc/fstab - suddenly both users got write access (my console and web server www-data) .
In total, the connection string in fstab looks like this: //192.168.20.115/filesfolders$ /mnt/filesfolder cifs user=guest,pass=,iocharset=utf8,noperm,uid=www-data,gid=www-data,dir_mode=0777 ,file_mode=0777,sec=lanman 0 0
However, this does not remove general questions for understanding: why do I see drwxrwxrwx rights for a directory, but in fact only the owner can write to it? Why files are still created with permission denied messages, but empty (if there is no access, then it should not be at all, right?)

M
mihmig, 2017-03-10
@mihmig

It worked for me with the following parameters:
You may have had some release of the cifs module with a bug.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question