You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Issue

When running a php script using php-cli, what authorities need to be granted?

When running a script in a web browser, the default Apache user QTMHHTTP has authority to run scripts. Is there an easy way to insure that a user other than QTMHHTTP will have authority to run a script using php-cli?

Environment

Any version of Zend Server for IBM i running on any supported version of IBM i.

Resolution

Grant the user *RX permissions to directory /usr/local/zendsvr6 and all underlying directories. From the 5250 command line, signed on as QSECOFR:

Note

Replace PHPUSER in the following examples with the actual user profile you need to run 
the script via CLI.

For Zend Server 9 or higher:

CHGAUT OBJ('/usr/local/zendphp7') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

For Zend Server 6 through 8.5:

CHGAUT OBJ('/usr/local/zendsvr6') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

For Zend Server 5:

CHGAUT OBJ('/usr/local/zendsvr') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

The user will need to be able to write to the log files, so that messages do not display on the terminal or in a QPRINT spool file:

For Zend Server 9 or higher:

CHGAUT OBJ('/usr/local/zendphp7/var/log') USER(PHPUSER) DTAAUT(*RWX) SUBTREE(*ALL)

For Zend Server 6 through 8.5:

CHGAUT OBJ('/usr/local/zendsvr6/var/log') USER(PHPUSER) DTAAUT(*RWX) SUBTREE(*ALL)

For Zend Server 5:

CHGAUT OBJ('/usr/local/zendsvr/var/log') USER(PHPUSER) DTAAUT(*RWX) SUBTREE(*ALL)

Note: Security level 30 may also require the Object Alter authority

We have a report from a customer at Security Level 30 who found they needed to also set the object authority to alter the log files:

For Zend Server 9 or higher:

CHGAUT OBJ('/usr/local/zendphp7/var/log') USER(PHPUSER) DTAAUT(*RWX) OBJAUT(*OBJALTER) SUBTREE(*ALL)

For Zend Server 6 through 8.5:

CHGAUT OBJ('/usr/local/zendsvr6/var/log') USER(PHPUSER) DTAAUT(*RWX) OBJAUT(*OBJALTER) SUBTREE(*ALL)

For Zend Server 5:

CHGAUT OBJ('/usr/local/zendsvr/var/log') USER(PHPUSER) DTAAUT(*RWX) OBJAUT(*OBJALTER) SUBTREE(*ALL)

The user will also need *RX authority to the PHP scripts and other web content. For example, to grant permissions for the user to the default document root and all underlying directories:

For Zend Server 9 or higher:

CHGAUT OBJ('/www/zendphp7/htdocs') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

For Zend Server 6 through 8.5:

CHGAUT OBJ('/www/zendsvr6/htdocs') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

For Zend Server 5:

CHGAUT OBJ('/www/zendsvr/htdocs') USER(PHPUSER) DTAAUT(*RX) SUBTREE(*ALL)

Details

It can be more convenient to simply run the above commands for user *PUBLIC. This would allow any user successfully signed in with valid credentials to use PHP scripts run via php-cli. However, this is generally considered less secure than specifying allowed users individually.

Users with the *ALLOBJ special authority do not need to have permissions granted in order to run scripts using php-cli.  Sometimes a developer will not have any problem running scripts in php-cli, but will discover that the users in production are having permissions problems.  This is usually because the developer has *ALLOBJ special authority, while typical users in production do not.

  • No labels