CentOS下Apache的SELinux权限(上传图片后写入指定文件夹)
今天本来在写一个接口,上传图片,然后保存,数据库中记住路径,这样的一个任务
捣鼓了半天,上传图片代码写好了
- (void)uploadFile {
NSString *path = @"/Users/apple/Desktop/acc.png";
NSString *urlStr = @"http://www.cry.com/uploadFile.php";
NSMutableURLRequest *request = [[AFHTTPRequestSerializer serializer] multipartFormRequestWithMethod:@"POST" URLString:urlStr parameters:nil constructingBodyWithBlock:^(id<AFMultipartFormData> _Nonnull formData) {
NSError *error;
[formData appendPartWithFileURL:[NSURL fileURLWithPath:path] name:@"file" fileName:@"acc.png" mimeType:@"image/png" error:&error];
NSLog(@"%@",error);
} error:nil];
AFHTTPSessionManager *manager = [[AFHTTPSessionManager alloc] initWithSessionConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
NSURLSessionUploadTask *task = [manager uploadTaskWithStreamedRequest:request progress:^(NSProgress * _Nonnull uploadProgress) {
NSLog(@"%@",uploadProgress);
} completionHandler:^(NSURLResponse * _Nonnull response, id _Nullable responseObject, NSError * _Nullable error) {
NSLog(@"response: %@",response);
NSLog(@"responseobj: %@",responseObject);
NSLog(@"%@",responseObject[@"status"]);
NSLog(@"error: %@",error);
}];
[task resume];
}
虚拟机服务器的php代码也写了(简陋的代码),只是想试试传图片的流程
<?php
header("Content-Type:application/json");
/** * Created by PhpStorm. * User: apple * Date: 16/11/10 * Time: 上午9:45 */
$tmpfilename = $_FILES['file']['tmp_name'];
$name = $_FILES['file']['name'];
$path = "images/$name";
$json_arr ['newPath'] = $path;
if (is_uploaded_file($tmpfilename)) {
$json_arr["isULfile"] = "是上传文件";
} else {
$json_arr["isULfile"] = "不是上传文件";
}
$isSucc = move_uploaded_file($tmpfilename,$path);
if ($isSucc) { $json_arr["status"] = "上传成功";
} else {
$json_arr["status"] = "上传失败";
$json_arr["desc"] = $isSucc;
}
$json_arr += $_FILES;
echo json_encode($json_arr,JSON_PRETTY_PRINT);
?>
然而,后台服务器接受到了图片,临时文件已经有了
每次给我输出的都是
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo}span.s1 {font-variant-ligatures: no-common-ligatures}
responseobj: {
file = {
error = 0;
name = "acc.png";
size = 707;
"tmp_name" = "/tmp/phpw095q1";
type = "image/png";
};
isULfile = "是上传文件";(php里的is_uploaded_file()函数)
newPath = "/var/www/cry.com/images/acc.png";(写入的路径)
status = "U4e0aU4f20U6210U529f";
}
2016-11-10 19:41:10.289 OC32[89155:5771018] 上传失败
status里的那串就是”上传失败”
然后我登入虚拟机,查看日志/var/log/httpd/error_log
,因为PHP就是以模块的形式集成在Apache上运行的,日志在httpd里(apache就是httpd)
Thu Nov 10 18:17:16.452810 2016] [:error] [pid 6019] [client 192.168.1.219:61588] PHP Warning: move_uploaded_file(/var/www/cry.com/images/acc.png): failed to open stream: Permission denied in /var/www/cry.com/uploadFile.php on line 21
Thu Nov 10 18:17:16.498295 2016] [:error] [pid 6019] [client 192.168.1.219:61588] PHP Warning: move_uploaded_file(): Unable to move '/tmp/phpj5KtFB' to '/var/www/cry.com/images/acc.png' in /var/www/cry.com/uploadFile.php on line 21
???Permission denied
???,这是没权限的意思吗
查看了很多,什么chown
修改,chmod 777
修改,各种权限,都还是上传失败
.
最后发现是SELinux
在搞鬼
SELinux 更能遵从最小权限的理念。在缺省的 enforcing
情况下,一切均被拒绝,接着有一系列例外的政策来允许系统的每个元素(服务、程序、用户)运作时所需的访问权。当一项服务、程序或用户尝试访问或修改一个它不须用的文件或资源时,它的请求会遭拒绝,而这个行动会被记录下来
所以,我们可以在/etc/selinux/config
修改SELinux配置,关掉它
但是,肯定还有别的方法
看到有段文字说所有进程及文件都拥有一个 SELinux 的安全性脉络
,可以用ls -Z
查看
-rwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 uploadFile.php
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 images
httpd_sys_content_t
这是apache的权限角色
虽然英文一般,但是看到了关键字wirete to those path
http://newscentral.exsees.com/item/5b6cccab6ed05ce053bc09f70dc9386e-99c0b81ebd43e7b6848a00939f39b855 里面博主说
sudo chcon -R -t httpd_sys_rw_content_t /var/www/cry.com/images
把我准备写入的文件夹的权限角色从httpd_sys_content_t
改成httpd_sys_rw_content_t
run~
就这样,看起来好像解决了
参考:
http://newscentral.exsees.com/item/5b6cccab6ed05ce053bc09f70dc9386e-99c0b81ebd43e7b6848a00939f39b855
有更好的方法,可以留言~